Microsoft Releases Mitigation for YellowKey BitLocker Bypass CVE-2026-45585 Exploit

Microsoft Releases Mitigation for YellowKey BitLocker Bypass CVE-2026-45585 Exploit

Briefly

"Microsoft is aware of a security feature bypass vulnerability in Windows publicly referred to as 'YellowKey,'. The proof of concept for this vulnerability has been made public, violating coordinated vulnerability best practices."

"YellowKey was disclosed by a security researcher named Chaotic Eclipse (aka Nightmare-Eclipse). It essentially allows placing specially crafted 'FsTx' files on a USB drive or EFI partition, plugging the USB drive into the target Windows computer with BitLocker protections turned on, rebooting into the Windows Recovery Environment (WinRE), and triggering a shell with unrestricted access by holding down the CTRL key."

"If you did everything properly, a shell will spawn with unrestricted access to the BitLocker protected volume, the researcher noted in a GitHub post. Redmond noted that successful exploitation could permit an attacker with physical access to sidestep the BitLocker Device Encryption feature on the system storage device and gain access to encrypted data."

"To address the risk, the following mitigations have been outlined: Mount the WinRE image on each device. Mount the system registry hive of the mounted WinRE image. Modify BootExecute by removing "autofstx.exe" value from Session Manager's BootExecute REG_MULTI_SZ value. Save and unload Registry hive. Unmount and commit the updated WinRE image. Reestablish BitLocker trust for WinRE."