A USB drive is all an attacker needs to bypass BitLocker and read every file on your encrypted Windows 11 drive. No password. No recovery key. No special hardware. Just a reboot and a held key.

The exploit is called YellowKey, tracked as CVE-2026-45585, and a working proof-of-concept is already public. Microsoft has confirmed the vulnerability, rated it Important, and published manual mitigation steps while a permanent patch is still in development.
This guide explains how the attack works, who is at risk, and exactly what to do right now to protect your device before a patch arrives.
What Is the YellowKey BitLocker Vulnerability?
YellowKey is a security feature bypass vulnerability. It does not crack BitLocker’s encryption algorithm directly. Instead, it lets an attacker with physical access to a machine reach the encrypted data by abusing the Windows Recovery Environment (WinRE).
A security researcher known as Nightmare Eclipse disclosed the flaw publicly last week and released a working proof-of-concept (PoC) exploit without coordinating with Microsoft first. That public release forced Microsoft to act immediately with mitigation guidance rather than waiting for a scheduled Patch Tuesday fix.
Nightmare Eclipse stated they “could have made some insane cash selling this, but no amount of money will stand between me and my determination against Microsoft.” The researcher also says they did it in protest of how Microsoft’s Security Response Center handled disclosures they had submitted previously, including an incident where Microsoft allegedly wiped their MSRC account without explanation.
This is not the researcher’s first time. They previously disclosed BlueHammer (CVE-2026-33825), RedSun, GreenPlasma, and UnDefend, several of which are already being actively exploited in the wild. YellowKey follows the same pattern: a working PoC is now public, so exploitation is a question of when, not if.
YellowKey is a separate issue from the BitLocker vulnerability CVE-2026-27913 that targeted Secure Boot, though both fall under the same category of BitLocker security feature bypasses. If your device is not yet protected against that one, address both together.
CVE-2026-45585 Details
| Detail | Value |
|---|---|
| CVE ID | CVE-2026-45585 |
| Severity | Important |
| CVSS Score | 6.8 (Base) / 6.3 (Temporal) |
| Attack Vector | Physical |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Publicly Disclosed | Yes |
| Exploited in the Wild | No (as of May 20, 2026) |
| Exploitability Assessment | Exploitation More Likely |
| Weakness | CWE-77: Command Injection |
The physical attack vector is the critical detail. An attacker cannot exploit CVE-2026-45585 remotely. They must have hands-on access to the target machine. For corporate laptops, shared workstations, and devices that travel, that is a realistic and immediate threat.
How the YellowKey Attack Works
The attack relies on specially crafted FsTx files placed on a USB drive or the EFI partition of the target device. Here is the full chain:
- The attacker writes the crafted FsTx files to a USB drive or the device’s EFI partition.
- The device reboots into Windows Recovery Environment (WinRE).
- WinRE automatically runs autofstx.exe (the FsTx Auto Recovery Utility) as part of the BootExecute process inside Session Manager.
- autofstx.exe deletes winpeshl.ini inside WinRE, a file that controls which shell launches on startup.
- With winpeshl.ini removed, WinRE falls back to an uncontrolled shell.
- The attacker holds CTRL to trigger that shell.
- The shell runs with unrestricted access to the BitLocker-protected storage volume, with no key required.
Tom’s Hardware confirmed the attack works exactly as described: “The machine will reboot, and without asking any questions or showing any menus, will drop you in an elevated command line with full access to the formerly Bitlocked drive.” Researchers also noted that the exploit files disappear from the USB stick after a single use, which raises additional concerns about whether this behavior was intentional.
YellowKey affects Windows 11 and Windows Server 2022 and 2025. Windows 10 is not affected.
Who Is at Risk?
Any Windows 11 device that meets all three conditions below is potentially vulnerable:
- BitLocker is enabled in TPM-only mode (no startup PIN configured).
- A WinRE image is present and enabled on the device.
- An attacker can gain physical access to the machine.
Devices already running TPM+PIN mode are not exploitable through this specific attack chain, because the drive remains locked without the PIN even after the attacker reaches the unrestricted shell.
If your organization manages laptops that employees carry for remote work or travel, apply both mitigations immediately. Do not wait for the patch.
How to Fix CVE-2026-45585 (Microsoft’s Official Mitigations)
Microsoft recommends two independent lines of defense. Apply both.
Fix 1: Remove autofstx.exe from WinRE BootExecute
This fix breaks the attack chain at its root by stopping autofstx.exe from running automatically when WinRE launches. Run all commands from an elevated command prompt (right-click Command Prompt and select Run as administrator).
Step 1: Mount the WinRE image
mkdir C:\mount
reagentc /mountre /path C:\mountStep 2: Load the WinRE system registry hive
reg load HKLM\WinREHive C:\mount\Windows\System32\config\SYSTEMStep 3: Remove the autofstx.exe entry from BootExecute
Open Registry Editor by pressing Win + R, typing regedit, and pressing Enter. Navigate to:
HKLM\WinREHive\ControlSet001\Control\Session ManagerFind the BootExecute value (type: REG_MULTI_SZ). Remove the autofstx.exe line from it. Leave all other entries untouched.
Step 4: Unload the registry hive
reg unload HKLM\WinREHiveStep 5: Unmount and commit the updated WinRE image
reagentc /unmountre /path C:\mount /commitStep 6: Reestablish BitLocker trust for WinRE
reagentc /disable
reagentc /enableThis last step is mandatory. It forces BitLocker to re-establish its trust relationship with the updated WinRE image. Skipping it leaves the trust chain broken.
Fix 2: Switch BitLocker to TPM+PIN Mode
Adding a startup PIN means an attacker must enter the PIN before Windows decrypts the drive at boot. Even if they reach an unrestricted shell through a WinRE exploit, the BitLocker-protected drive stays locked without the PIN.
Before you apply any method below, make sure your BitLocker recovery key is accessible in your Microsoft account. Enabling TPM+PIN changes the boot environment and may trigger a BitLocker recovery prompt on the next restart.
If your device already has BitLocker enabled
If any of the methods below returns the error “Group policy settings do not permit the use of a PIN at startup,” fix the policy first:
Press Win + R, type gpedit.msc, and press Enter. Navigate to:
Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System DrivesDouble-click Require additional authentication at startup, set it to Enabled, then set Configure TPM startup PIN to Require startup PIN with TPM. Click Apply, then OK.
Now apply the PIN using any of these three methods:
Method 1: PowerShell
Add-BitLockerKeyProtector C: -TpmAndPinProtectorEnter the PIN when prompted, then confirm it.
Method 2: Command Prompt
manage-bde -protectors -add C: -TPMAndPINEnter and confirm your PIN.
Method 3: Control Panel
- Open Control Panel.
- Go to BitLocker Drive Encryption.
- Under Operating System Drive, click Change how drive is unlocked at startup.
- Click Enter a PIN (recommended).
- Enter your PIN, confirm it, and click Set PIN.
If your device is not yet encrypted
Using Microsoft Intune:
- Open the Microsoft Intune admin center.
- Go to Endpoint security > Disk encryption > Create policy.
- Select Windows 10 and later as the platform and BitLocker as the profile.
- Under BitLocker OS drive settings, set Require additional authentication at startup to Enabled.
- Set Configure TPM startup PIN to Require startup PIN with TPM.
- Assign the policy to your target device group and save.
Using Group Policies:
- Press Win + R, type
gpedit.msc, and press Enter. - Navigate to:
Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives - Double-click Require additional authentication at startup and set it to Enabled.
- Set Configure TPM startup PIN to Require startup PIN with TPM.
- Click Apply, then OK.
- Run the following in an elevated command prompt to apply the policy immediately:
gpupdate /forceWhen Will Microsoft Release a Patch for CVE-2026-45585?
Microsoft has not released a security update for CVE-2026-45585 yet. The advisory confirms a patch is in development, but no release date is set. Watch for it in an upcoming Patch Tuesday or out-of-band update, similar to how Microsoft handled the Windows Server emergency patch that followed critical disclosure earlier this year.
Once a security update is available, install it even if you have already applied both mitigations above. The mitigations reduce exposure but the patch is the complete resolution.
If Windows asks for your recovery key after you switch to TPM+PIN mode, that is expected behavior. The BitLocker recovery key prompt on every boot article walks through the fix if that keeps happening after your first restart.
Frequently Asked Questions
Does the YellowKey exploit work remotely?
No. CVE-2026-45585 requires physical access to the target device. An attacker cannot exploit it over a network.
Is my device safe if BitLocker already uses TPM+PIN mode?
Yes. The attack only works against TPM-only configurations. Devices already using a startup PIN are not vulnerable to this specific exploit chain.
Has Microsoft released a patch for CVE-2026-45585?
Not yet. Microsoft confirmed a security update is in development but has not shared a release date. Apply the manual mitigations now and install the patch as soon as it lands.
Will adding a BitLocker startup PIN affect daily Windows usage?
Only at boot. You enter the PIN once before Windows loads. Everything after login works exactly as it did before.
What should I do if Windows asks for a BitLocker recovery key after applying the mitigations?
That is expected when your boot environment changes. Make sure you save the recovery key to your Microsoft account or a secure location before you apply the mitigations so you can enter it if prompted.
What is autofstx.exe?
It is the FsTx Auto Recovery Utility, a component that runs automatically inside WinRE during the BootExecute phase. YellowKey abuses this utility to delete winpeshl.ini and gain an unrestricted shell with access to the encrypted drive. Removing it from BootExecute in the WinRE image blocks the attack chain entirely.
Does this affect Windows 10?
No. YellowKey only affects Windows 11 and Windows Server 2022 and 2025. Windows 10 is not vulnerable.
