CVE-2026-45585 ("YellowKey") - BitLocker Security Feature Bypass

Microsoft recently disclosed a security feature bypass vulnerability, publicly referred to as YellowKey, that affects certain Windows systems protected by BitLocker drive encryption. The vulnerability became notable after a proof-of-concept (PoC) exploit was publicly released before an official security update was available.

What Does It Target?

YellowKey targets systems that rely on BitLocker encryption configured with TPM-only authentication. In these configurations, the Trusted Platform Module (TPM) automatically releases the disk encryption key during the boot process if platform integrity checks pass. An attacker with physical access to a device may be able to exploit the vulnerability to bypass intended protections and gain access to encrypted data.

Who Is Most at Risk?

Organizations should pay particular attention if they:

• Use BitLocker with TPM-only protectors.

• Have employees who frequently travel with corporate laptops.

• Manage devices that may be lost, stolen, or exposed to unauthorized physical access.

• Handle sensitive or regulated data requiring strong device-level protection.

Systems configured with TPM + PIN are not vulnerable to the disclosed attack path, according to Microsoft.

Severity and Impact

While exploitation requires physical possession of the device, the potential impact is significant because successful attacks could compromise encrypted data that organizations expect BitLocker to protect. The vulnerability highlights the risks associated with relying solely on TPM-based automatic unlocking for high-value assets.

Mitigation and Patch Status

Microsoft has issued mitigation guidance while a security update is being deployed. Organizations using TPM-only BitLocker configurations should review and implement Microsoft's recommended mitigations, especially for portable devices.

A key mitigation is enabling TPM + PIN authentication, which requires a user-supplied PIN during startup before the TPM releases encryption keys. This additional authentication factor prevents exploitation of the vulnerability.

Microsoft has stated that once the official security update is installed, organizations do not need to remove the implemented mitigations, as the update will maintain the intended security protections.

Key Takeaway

YellowKey serves as a reminder that encryption security depends not only on the encryption technology itself but also on how it is configured. Organizations relying on TPM-only BitLocker deployments should assess their exposure, apply Microsoft's mitigations, and consider TPM + PIN authentication for devices containing sensitive data.