Microsoft Mitigates YellowKey BitLocker Bypass (CVE-2026-45585)

What Happened

Microsoft released a mitigation for a critical BitLocker bypass vulnerability, CVE-2026-45585, following its public disclosure last week. The zero-day flaw, now tracked with a CVSS score of 6.8, allows attackers to bypass BitLocker encryption protections, granting access to protected drives. The vulnerability was described as a "security feature bypass" by Microsoft, which has since issued guidance to mitigate the risk.

The Hacker News reported that the exploit, dubbed "YellowKey," was actively leveraged by threat actors to compromise systems with BitLocker-enabled drives. While Microsoft did not confirm active exploitation, the advisory emphasized the need for immediate patching. BleepingComputer noted that the mitigation involves disabling certain BitLocker features, though the exact steps remain under review.

The vulnerability’s disclosure follows a pattern of similar BitLocker bypasses, including earlier exploits targeting UI Access, as detailed in a Google Project Zero blog post. That research highlighted how attackers could exploit misconfigurations in Windows’ administrator protection mechanisms to bypass security boundaries.

Technical Breakdown

CVE-2026-45585 exploits a flaw in BitLocker’s encryption enforcement, allowing attackers to bypass the encryption layer without needing the recovery key. The exploit leverages a combination of UI Access and administrative privileges to manipulate the system’s trust chain. According to The Hacker News, the attack chain begins with a malicious application that triggers a privileged process, which then accesses encrypted volumes without authentication.

The technical details align with earlier research from Google Project Zero, which identified multiple ways to bypass Windows’ Administrator Protection. One such method involved exploiting UI Access, a feature designed to restrict unauthorized access to privileged processes. The researchers found that attackers could bypass this by manipulating the UI Access token, effectively granting them elevated privileges.

Microsoft’s mitigation for CVE-2026-45585 involves disabling the BitLocker encryption enforcement feature in affected systems. However, the exact configuration changes required are still being finalized. The company also recommends disabling unnecessary BitLocker features, such as the ability to access encrypted drives without the recovery key, to reduce the attack surface.

Attack Chain

The attack chain for CVE-2026-45585 begins with an attacker gaining initial access to a system with BitLocker encryption enabled. Once inside, the attacker leverages the vulnerability to bypass the encryption layer, allowing them to access sensitive data stored on the drive.

The process typically involves the following steps:

1. Exploit Execution: The attacker runs a malicious payload that triggers the BitLocker bypass flaw.
2. Privilege Escalation: The exploit grants the attacker elevated privileges, enabling access to encrypted volumes.
3. Data Extraction: The attacker reads and exfiltrates data from the BitLocker-protected drive without needing the recovery key.

The exploit’s success depends on the target system having BitLocker enabled and the attacker having administrative access. However, the vulnerability’s low CVSS score suggests that the exploit may require specific conditions to be met, such as a compromised admin account or a misconfigured system.

Detection Opportunities

Defenders should monitor BitLocker-related logs for unusual activity, such as unexpected access to encrypted drives or unauthorized process executions. The following detection queries can help identify potential exploitation:

# Check for BitLocker access attempts in Event Viewer  
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4624, 4625} | Where-Object { $_.Message -match "BitLocker" }

# Sigma rule for suspicious BitLocker access  
title: Suspicious BitLocker Access Attempt  
logsource:  
  product: windows  
  category: process_creation  
detection:  
  selection:  
    CommandLine|contains: 'bitlocker'  
    CommandLine|contains: 'access'  
  condition: selection  

Additionally, defenders should check for the presence of the mitigation steps outlined by Microsoft. If the system is not patched, it may still be vulnerable to exploitation.

Defensive Guidance

To mitigate the risk of CVE-2026-45585, defenders should:

1. Apply the Patch: Ensure all systems running BitLocker are updated to the latest version with the mitigation.
2. Disable Unnecessary Features: Turn off BitLocker encryption enforcement if it’s not required.
3. Monitor BitLocker Logs: Use the above detection queries to identify suspicious access attempts.
4. Restrict Administrative Access: Limit the number of users with administrative privileges to reduce the attack surface.

Microsoft’s advisory also recommends enabling BitLocker’s recovery key protection and storing it securely. This ensures that even if the exploit is used, the attacker cannot access the data without the recovery key.

What Remains Unclear

While Microsoft has released a mitigation, the exact steps to apply it are still under review. The company has not provided detailed instructions for configuring the patch, leaving some organizations in the dark.

Additionally, the extent of active exploitation remains unclear. While Microsoft acknowledges the vulnerability’s existence, it has not confirmed whether the exploit is being used in the wild. This uncertainty means defenders must assume the worst and take proactive steps to secure their systems.