CVE-2026-45585

Vulnerability

The vulnerability is a security feature bypass in the Windows Recovery Environment (WinRE) component, publicly referred to as "YellowKey". It allows an attacker to execute arbitrary commands on a BitLocker-protected system by placing a specially crafted FsTx folder in the System Volume Information directory of an external USB drive or the EFI partition. The bug is present in Windows 11, Server 2022, and Server 2025; Windows 10 is not affected [1]. The FsTx folder in WinRE contains functionality that triggers the bypass, while the same folder name exists in normal Windows installations without this behavior [1].

Exploitation

An attacker with physical access to the target device can reproduce the exploit by copying the FsTx folder (available in the proof-of-concept repository) to a USB stick formatted with NTFS, FAT32, or exFAT, inside YourUSBStick:\System Volume Information\FsTx. Alternatively, the folder can be placed directly on the EFI partition if the disk is removed and reinserted. The attacker then reboots the system into WinRE by holding SHIFT and clicking Restart. Upon reboot, the attacker must press and hold CTRL; this action spawns a shell with unrestricted access to the BitLocker-encrypted volume [1].

Impact

Upon successful exploitation, the attacker gains a shell with full read and write access to data on the BitLocker-protected volume, bypassing the encryption authentication. This results in a complete compromise of confidentiality and integrity of the protected data, without needing the BitLocker recovery key or user credentials [1].

Mitigation

As of the publication date (2026-05-20), Microsoft has acknowledged the vulnerability and stated that a security update is forthcoming, but no patch has been released. No specific workarounds are provided in the available references. Administrators should monitor Microsoft Security Response Center for updates and consider restricting physical access to devices or disabling WinRE if feasible until the patch is applied [1].