Microsoft issues mitigation for critical Windows BitLocker zero‑day bypass (CVE‑2026‑45585)
Microsoft disclosed a critical zero‑day vulnerability (CVE‑2026‑45585) in Windows BitLocker that allows an attacker with physical access to bypass full‑disk encryption. The flaw resides in the Windows Recovery Environment (WinRE) and is exploited via a chain dubbed “YellowKey”, which injects a malicious binary into the BootExecute registry key to run before the OS loads, circumventing BitLocker pre‑boot authentication.
The vulnerability affects Windows 11, Windows Server 2022 and Windows Server 2025. No active exploitation has been confirmed and no official patch is available yet. Microsoft provided a manual six‑step mitigation that remediates the WinRE image and recommends moving from a TPM‑only protector to a TPM + PIN configuration for devices. Administrators can apply the mitigation with built‑in commands (reagentc, reg, manage‑bde) or through Intune and Group Policy.
The public release of the YellowKey exploit lowers the barrier for less‑sophisticated attackers, raising concerns for lost or stolen laptops in enterprise environments. Security teams are urged to apply the mitigation and enforce TPM + PIN protection immediately while awaiting a formal update.