ThreatLevelBeta
Planned Fix

CVE-2026-45585

Data Disclosure in Microsoft BitLocker
Loading...

Summary

Microsoft's BitLocker security feature bypass, called YellowKey, targets the Windows Recovery Environment (WinRE). A crafted FsTx folder on removable media or the EFI partition is replayed during recovery boot, which can delete winpeshl.ini and drop the machine into cmd.exe while the BitLocker-protected volume is already decrypted by TPM. The public proof of concept requires physical access and can expose files on affected Windows systems until Microsoft ships a fix.

Why Planned Fix?

4/6
No authentication required
Internal deployment
No user interaction needed
Exploitable in default configuration
Public PoC available
Not a high impact vulnerability

Exploitation Details

Type
Unknown
Is exploitable with default configuration?
Yes
Is authentication needed?
No
PoC / Exploit
Yes
github.com
Impact

Bypass BitLocker protection and read files from the encrypted volume without the recovery key.

Data Disclosure
Exploitation Requirements

None — vulnerable in default configuration

Exploitation Process

An attacker with physical access prepares a USB stick or EFI partition containing a malicious System Volume Information\FsTx tree and its NTFS transaction logs. They then force the target into Windows Recovery Environment, for example through Shift+Restart and the recovery boot path, or by booting from the prepared media. During recovery, WinRE replays the logs, deletes winpeshl.ini, and falls back to an interactive cmd.exe shell while the BitLocker-protected volume is already unlocked by TPM, letting the attacker browse or copy protected data.

Detection Resources
Manual Detection
eclypsium.combleepingcomputer.com
2
Script Detection
0
Scanner Detection
0

Affected Software

Vendor:Microsoft
ProductAffected Versions
BitLockerWindows 11 24H2, Windows 11 25H2, Windows 11 26H1, Windows Server 2025
Description

Microsoft's full-disk encryption feature for Windows that protects data at rest on PCs and servers.

Deployment:Typically internal
|
Protocol:Local
|
Ports:
Affected ComponentWindows Recovery Environment (WinRE) recovery boot flow, especially NTFS transaction-log replay from System Volume Information\FsTx that can delete winpeshl.ini and spawn cmd.exe.

Windows Recovery Environment (WinRE) recovery boot flow, especially NTFS transaction-log replay from System Volume Information\FsTx that can delete winpeshl.ini and spawn cmd.exe.

Affected Endpoints(2)System Volume Information\FsTx, winpeshl.ini…
1.System Volume Information\FsTx
2.winpeshl.ini
Enterprise UsageEstimated likelihood that this vendor/product is deployed in enterprise environments. AI-generated estimation based on market presence, product type and adoption signals — not exact data.
Very Low
Low
Medium
High
Very High
Vendor Size:Big
Remediation
Workaround
Follow Microsoft's manual WinRE mitigation to stop autofstx.exe from launching from BootExecute, then disable and re-enable WinRE on affected systems. If possible, enforce TPM+PIN and a BIOS/UEFI admin password; disabling WinRE removes the published attack path but breaks local recovery.

Follow Microsoft's manual WinRE mitigation to stop autofstx.exe from launching from BootExecute, then disable and re-enable WinRE on affected systems. If possible, enforce TPM+PIN and a BIOS/UEFI admin password; disabling WinRE removes the published attack path but breaks local recovery.

msrc.microsoft.com
Patch

Not available

Update

Not available

Threat Intelligence
EPSS Score0.1%

Probability of exploitation in the next 30 days

EPSS Percentile24%

Worse than 24% of all CVEs

Last updated: Loading...
CISAKEV
CISA KEV
Not Listed
Active Exploitation
No Evidence
Threat Actors

No known threat actors

Detection Rules2
Other
Alert on creation of System Volume Information\FsTx on removable media or the EFI partition
Other
Alert on winpeshl.ini deletion or unexpected modification inside the WinRE image

NVD Data

Published: Loading...Modified: Loading...

Description Summary

Microsoft is aware of a security feature bypass vulnerability in Windows publicly referred to as "YellowKey". The proof of concept for this vulnerability has been made public violating coordinated vulnerability best practices. We are issuing this CVE to provide mitigation guidance that can be implemented to protect against this vulnerability until the security update is made available.

CVSS Base Score

6.8
Medium

CVSS Vector (CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Attack Vector (AV)
Physical
Local
Adjacent
Network
Attack Complexity (AC)
High
Low
Privileges Required (PR)
High
Low
None
User Interaction (UI)
Required
None
Scope (S)
Unchanged
Changed
Confidentiality (C)
None
Low
High
Integrity (I)
None
Low
High
Availability (A)
None
Low
High
CWE:CWE-77 Command Injection
|
NVD:CVE-2026-45585
|
Version From:
|
Version Upto:

Affected Software (CPE) (4)

  • cpe:2.3:o:microsoft:windows_11_24h2:*:*:*:*:*:*:x64:*
  • cpe:2.3:o:microsoft:windows_11_25h2:*:*:*:*:*:*:x64:*
  • cpe:2.3:o:microsoft:windows_11_26h1:*:*:*:*:*:*:x64:*
  • cpe:2.3:o:microsoft:windows_server_2025:*:*:*:*:*:*:*:*

Sources

6
SourceArticle
msrc.microsoft.comCVE-2026-45585 mitigation guidance
nvd.nist.govCVE-2026-45585 Detail
eclypsium.comYellowKey: The Unpatched BitLocker Bypass Hidden in Windows Recovery
learn.microsoft.comBitLocker countermeasures
www.bleepingcomputer.comMicrosoft shares mitigation for YellowKey Windows zero-day
www.tenable.comCVE-2026-45585

Priority History

Planned FixLoading...

Initial analysis