YellowKey BitLocker WinRE security feature bypass
CVE-2026-45585, publicly referred to as YellowKey, is a Windows BitLocker security feature bypass affecting the Windows Recovery Environment (WinRE) rather than the BitLocker cryptography itself. Public reporting and Microsoft mitigation guidance indicate the issue is rooted in WinRE behavior around the FsTx Auto Recovery Utility (autofstx.exe), which automatically replays crafted NTFS transaction recovery data during recovery boot. An attacker can stage specially crafted FsTx files on removable media or in the EFI System Partition so that, when the target is booted into WinRE, the replay deletes or alters winpeshl.ini and causes WinRE to launch an unrestricted command shell instead of the normal restricted recovery interface. At that point, on TPM-only BitLocker configurations, the protected volume has already been transparently unlocked by the TPM, giving the attacker access to the decrypted system volume. Reported affected platforms include Windows 11 24H2, 25H2, and 26H1 on x64 systems and Windows Server 2025; some reporting also states Windows Server 2022 was affected in testing. Microsoft had issued mitigation guidance but, per the provided content, no security update was yet available at publication time.
Impact, mitigation & remediation
What it means. What to do now. For analysts and engineers who need to decide and keep moving.
Impact
What an attacker gets — and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
No valid public exploits — Mallory filtered out 1 candidate as fakes, detection scripts, or README-only repos.
All candidate exploits were filtered out by Mallory's validation.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles against your asset inventory in the product.
Recent activity
49 sources tracked across advisories, community write-ups, and news. Mallory keeps watching after this page renders.
A Windows Recovery Environment (WinRE) BitLocker bypass that abuses NTFS transaction log replay via System Volume Information\FsTx to delete winpeshl.ini and obtain a command shell after TPM-based transparent unlock, enabling access to BitLocker-protected drives with physical access.
A BitLocker security feature bypass in Windows that allows an attacker with physical access to gain a shell with access to a BitLocker-protected volume by abusing the WinRE FsTx Auto Recovery Utility (autofstx.exe).
A Windows BitLocker security feature bypass vulnerability in WinRE that can allow an attacker with physical access to bypass BitLocker device encryption and access encrypted data without user credentials or decryption keys.
A BitLocker security feature bypass vulnerability in Windows that can allow an attacker with physical access to bypass BitLocker device encryption protections and access encrypted data.
A BitLocker security feature bypass vulnerability in Windows that allows attackers with physical access to bypass BitLocker protections and access data. The issue is described as affecting the recovery environment around BitLocker rather than the encryption itself.
A reported zero-day bypass of Windows BitLocker that abuses the Windows Recovery Environment and crafted FsTx recovery files on a USB stick to gain a SYSTEM shell and full volume access without password cracking or a TPM exploit.
See the full picture, correlated to your attack surface.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules — auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.