CVE-2026-45585

Name of the Vulnerable Software and Affected Versions Windows 11 (affected versions not specified) Windows Server 2022 (affected versions not specified) Windows Server 2025 (affected versions not specified)

Description A security feature bypass in the BitLocker component of Windows, known as YellowKey, allows an attacker with physical access to bypass full-disk encryption and gain unauthorized access to protected data. The issue exploits the Windows Recovery Environment (WinRE) by abusing the System Volume InformationFsTx directory via USB insertion, EFI partition modification, or physical drive replacement. By replaying NTFS transaction logs, an attacker can delete the winpeshl.ini file, forcing WinRE to drop to a command prompt (cmd.exe) while the volume remains transparently decrypted by the TPM. This allows the use of the manage-bde function to extract the BitLocker Recovery Key. Systems using TPM-only deployments are the most exposed, whereas those using TPM+PIN are not exploitable.

Recommendations For Windows 11, Windows Server 2022, and Windows Server 2025, implement the following measures: