Microsoft Rolls Out Mitigations for 'YellowKey' BitLocker Bypass

Microsoft on Tuesday rolled out mitigations for YellowKey, a recently disclosed zero-day vulnerability leading to BitLocker bypass.

The issue, now tracked as CVE-2026-45585 (CVSS score of 6.8), can be triggered by an attacker with physical access to a system by using a USB drive containing the publicly released YellowKey exploit code and rebooting the system into recovery mode.

Instead of serving the attacker the typical Windows Recovery Environment (WinRE), the exploit spawns a shell, offering access to the underlying partition’s contents, no longer protected by BitLocker’s encryption.

Microsoft’s advisory acknowledges the public exploit and its effects: “A successful attacker could bypass the BitLocker Device Encryption feature on the system storage device. An attacker with physical access to the target could exploit this vulnerability to gain access to encrypted data.”

In its advisory, the tech giant guides defenders through a multi-stage process that involves mounting the WinRe image on each device, mounting the system registry hive of the image, removing autofstx.exe from the mounted hive, mounting the updated image, and reestablishing BitLocker trust for WinRe.

Microsoft Rolls Out Mitigations for 'YellowKey' BitLocker Bypass

Other newsrooms on this story

Related reading

Microsoft Releases Mitigation for YellowKey BitLocker Bypass CVE-2026-45585…

Microsoft shares mitigation for YellowKey Windows zero-day

Windows Zero-Days Expose BitLocker Bypasses And CTFMON Privilege Escalation

How To Mitigate The Microsoft Windows BitLocker ‘Angry Hacker’ 0-Day

Windows BitLocker zero-day gives access to protected drives, PoC released

BitLocker sotto attacco: Microsoft spiega come fermare YellowKey