Windows YellowKey Security Feature Bypass Vulnerability Explained

TL;DR

• CVE-2026-45585 is a Windows security feature bypass vulnerability publicly known as "YellowKey" affecting BitLocker protections
• CVSS 6.8 (medium) with physical access required for exploitation
• Affects Windows 11 24H2, 25H2, 26H1 and Windows Server 2025
• No confirmed in-the-wild exploitation at time of writing; not listed in CISA KEV
• TPM+PIN users are not vulnerable; others should apply Microsoft's interim mitigations immediately

What is CVE-2026-45585?

CVE-2026-45585 is a security feature bypass vulnerability in Windows that allows attackers with physical device access to circumvent encryption protections. Publicly referred to as "YellowKey," this flaw was disclosed irresponsibly when a proof of concept was released publicly before Microsoft could issue a patch. The vulnerability is classified under CWE-77 (Command Injection) and carries a medium severity rating. Microsoft has issued interim mitigation guidance while a security update is being developed.

Who is affected?

The following Windows versions contain this vulnerability:

• Microsoft Windows 11 version 24H2
• Microsoft Windows 11 version 25H2
• Microsoft Windows 11 version 26H1
• Microsoft Windows Server 2025

Organizations using these operating systems without TPM+PIN authentication enabled are potentially at risk, particularly those with mobile workforces or devices that leave secure premises.

How severe is it?

CVE-2026-45585 carries a CVSS 3.1 base score of 6.8, placing it in the medium severity range. The CVSS vector (AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) reveals important context about the threat.

Physical access is mandatory for exploitation. An attacker must have hands-on access to the target device, which significantly limits the attack surface compared to network-based vulnerabilities. However, once physical access is obtained, the attack complexity is low, requires no privileges, and needs no user interaction.

The impact ratings are all high across confidentiality, integrity, and availability. This means successful exploitation could result in complete compromise of encrypted data, unauthorized system modifications, and potential data destruction. For organizations with sensitive data on portable devices, this represents a serious risk despite the physical access requirement.

Real-world scenarios where this vulnerability poses the greatest threat include:

• Stolen laptops during business travel
• Devices left unattended in hotels or conferences
• Equipment seized by adversarial actors
• Lost devices with corporate data

Is it being exploited?

At the time of writing, CVE-2026-45585 is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog. No confirmed in-the-wild exploitation has been reported.

However, the situation warrants caution. A proof of concept has been publicly released, lowering the barrier for potential attackers. This premature disclosure violated coordinated vulnerability disclosure practices and increases the likelihood of exploitation attempts before a patch becomes available.

Security teams should treat this as a higher priority than the CVSS score alone might suggest given the public PoC availability.

How to fix and mitigate it

Microsoft has not yet released a security update for this vulnerability. Apply the following mitigations in priority order:

1. Enable TPM+PIN authentication for BitLocker on all affected systems. Microsoft confirms this configuration prevents exploitation entirely.

2. Apply Microsoft's interim mitigations as documented in the official security advisory. These mitigations will not impact service availability.

3. Monitor for the official security update and deploy immediately upon release. The patch will preserve mitigation behavior, so no rollback is needed.

4. Implement physical security controls for devices containing sensitive data, especially those used for travel or remote work.

5. Review device inventory to identify all systems running affected Windows versions.

To enable TPM+PIN via Group Policy:

# Check current BitLocker status
Get-BitLockerVolume -MountPoint "C:"

# Configure Group Policy path:
# Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives
# Enable: "Require additional authentication at startup"
# Set: "Configure TPM startup PIN" to "Require startup PIN with TPM"

For enterprise deployments, use Microsoft Endpoint Manager or your existing configuration management platform to enforce TPM+PIN requirements across the fleet.

How to detect exposure

Identify vulnerable systems in your environment using these methods:

Check Windows version:

# Get OS version information
Get-ComputerInfo | Select-Object WindowsVersion, OsBuildNumber, OsName

# Check if system is running affected versions (24H2, 25H2, 26H1)
winver

Verify BitLocker protection method:

# List BitLocker key protectors
manage-bde -protectors -get C:

# Look for "TPM And PIN" in the output
# Systems showing only "TPM" are potentially vulnerable

Asset inventory queries:

Use your endpoint management solution to query for systems matching affected OS versions without TPM+PIN configured. In Microsoft Defender for Endpoint or similar EDR platforms, create detection rules for devices running Windows 11 24H2/25H2/26H1 or Server 2025.

Physical security audit:

Document which affected devices regularly leave your physical security perimeter. Prioritize mitigation deployment for these assets.

Frequently asked questions

What is the YellowKey vulnerability?

YellowKey is a security feature bypass vulnerability in Windows that allows attackers with physical access to potentially compromise BitLocker encryption protections. The proof of concept was publicly released before a patch was available, prompting Microsoft to issue interim mitigation guidance.

Am I protected if I use TPM+PIN for BitLocker?

Yes. Microsoft confirms that systems using TPM+PIN authentication are not vulnerable to this exploit. The additional PIN requirement prevents the attack vector from being successful, making this configuration a recommended mitigation.

Will implementing the mitigations affect my system operations?

No. Microsoft states that implementing the recommended mitigations will not impact service availability or management operations. The mitigations are designed to be non-disruptive while providing protection until a security update is released.

Do I need to undo mitigations after the patch is released?

No. Microsoft confirms the security update will maintain the mitigation behavior once installed. You do not need to revert any configuration changes made to protect against this vulnerability.