MICROSOFT has acknowledged a BitLocker bypass flaw, tracked as CVE-2026-45585 with a CVSS of 6.8, and has issued mitigations rather than a patch. The vulnerability, known as YellowKey, affects Windows 11 versions 24H2, 25H2 and 26H1 on x64, plus Windows Server 2025 in standard and Server Core installations, and it requires physical access to the target.
According to the MSRC advisory, the proof of concept has been made public, and Microsoft condemns the release of working exploit code outside coordinated disclosure. The mitigation is manual rather than a patch and involves mounting the WinRE image, loading the system registry hive, and removing autofstx[.]exe from the BootExecute value to stop FsTx from running, then re-committing the WinRE image and re-establishing BitLocker trust.
Microsoft also recommends moving from TPM-only to TPM+PIN to further block the attack path. The guidance varies by device state, with options to enable the “Require additional authentication at startup” policy via Intune or Group Policies and to configure TPM startup PIN accordingly. YellowKey requires physical access, which limits real-world impact in many enterprise scenarios, but remains a relevant risk for unattended devices or theft.