Notebookcheck Logo

Microsoft mitigates YellowKey BitLocker bypass, no patch yet

Hooded figure at a multi-screen setup running a cyberattack.
ⓘ Magnific.com/author/dcstudio
Hooded figure at a multi-screen setup running a cyberattack.
Microsoft released mitigation steps for YellowKey (CVE-2026-45585), a BitLocker bypass that grants physical attackers access to encrypted Windows drives.
Windows Software Security Microsoft Laptop Desktop

Microsoft has released mitigation guidance for YellowKey, the publicly disclosed BitLocker bypass now tracked as CVE-2026-45585, after a working proof of concept was published without coordinated disclosure. No full security update is available yet. The company confirmed it is working on a permanent fix and is urging administrators across affected Windows versions to apply the interim steps immediately.

What the mitigation does

The exploit works by deleting winpeshl.ini via Transactional NTFS (TxF), which causes the WinRE recovery environment to spawn an unrestricted shell instead of loading the standard recovery interface. From there, an attacker with physical access gains full, unencrypted visibility into the drive's contents, requiring no credentials, software installation, or network connection.

Microsoft's mitigation addresses the issue by disabling autofstx.exe, the FsTx Auto Recovery Utility, within the WinRE image. Administrators must mount the WinRE image on each affected device, load the system registry hive, and remove the autofstx.exe entry from the Session Manager's BootExecute value. Microsoft also recommends moving high-risk devices from TPM-only BitLocker to TPM+PIN mode, which makes physical exploitation much more difficult.

This is a workaround, not a patch. Microsoft has not confirmed when a full update will arrive. Until it does, any machine running an affected Windows version with a USB port and the ability to reboot into recovery mode is a viable target for anyone holding the publicly available exploit code.

Affected systems and what administrators should do now

CVE-2026-45585 carries a CVSS score of 6.8 and requires physical access, but Microsoft rates exploitation as "More Likely" given that the proof of concept is already public. Microsoft's advisory focuses on Windows 11 24H2, 25H2, and 26H1 on x64 systems, along with Windows Server 2025 and Windows Server 2025 Server Core. Windows 10 does not experience issues because of differences in its WinRE configuration. Public technical analyses also flag Windows Server 2022 as potentially vulnerable under specific deployment conditions via the same WinRE recovery path flaw, though Microsoft has not yet addressed it formally in its advisory.

The researcher behind the exploit, known as Nightmare-Eclipse, released it publicly before Microsoft had issued any guidance. Microsoft called the incident a violation of coordinated vulnerability best practices.

Google LogoAdd as a preferred source on Google
Mail Logo
static version load dynamic
Loading Comments
Comment on this article

Related Articles

> Expert Reviews and News on Laptops, Smartphones and Tech Innovations > News > News Archive > Newsarchive 2026 05 > Microsoft mitigates YellowKey BitLocker bypass, no patch yet
Darryl Linington, 2026-05-21 (Update: 2026-05-21)