SECURITY researchers disclosed two Windows zero-day vulnerabilities named YellowKey and GreenPlasma, affecting BitLocker and the Windows CTFMON framework, in a report published on 15 May 2026. The flaws were exposed by a security researcher known as Chaotic Eclipse, also called Nightmare-Eclipse.
YellowKey could allow attackers with physical access to bypass BitLocker protections and gain an unrestricted shell on encrypted volumes via the Windows Recovery Environment, by placing specially crafted files in System Volume Information\FsTx on a USB drive or directly in the EFI partition; the researcher states the vulnerable component exists only inside the WinRE image and not in standard Windows installations, with Windows 11 and Windows Server 2022/2025 being affected.
GreenPlasma is a Windows privilege-escalation vulnerability in the CTFMON framework on Windows 11 and Windows Server 2022/2026, with a proof-of-concept exploit that can create arbitrary memory section objects inside directories writable by SYSTEM and abuse trusted paths used by services and kernel drivers to reach SYSTEM-level privileges.
The article notes that in April, three Defender flaws—BlueHammer, RedSun and UnDefend—were disclosed, with BlueHammer later fixed by Microsoft under CVE-2026-33825, while Huntress reported real-world exploitation of all three flaws. Researchers also indicate that public exploit code released by Chaotic Eclipse was used in the observed activities.