Microsoft’s June 2026 Patch Tuesday security update, released on June 9 (US time), includes a permanent fix for a high-profile BitLocker bypass vulnerability publicly known as “YellowKey” and officially tracked as CVE-2026-45585. The patch ends weeks of interim mitigation guidance that Microsoft had been providing since the flaw was publicly disclosed without coordinated notification in mid-May.

What Is the YellowKey Vulnerability?

CVE-2026-45585 is a security feature bypass affecting BitLocker, the full-disk encryption technology built into Windows. The vulnerability does not break BitLocker’s underlying cryptography; rather, it exploits trusted behavior within the Windows Recovery Environment (WinRE) that surrounds BitLocker during the pre-boot recovery sequence.

An attacker with physical access to a vulnerable device can place specially crafted Transactional NTFS (TxF) files on a USB drive or an EFI system partition. By rebooting the machine into WinRE, the exploit abuses the autofstx.exe (FsTx Auto Recovery Utility) that is automatically launched during WinRE’s initial startup. Instead of presenting the standard recovery interface, the attack causes WinRE to spawn an unrestricted command shell with full access to the BitLocker-protected volume — without ever needing valid credentials or specialized hardware.

CVE-2026-45585 At a Glance
  • Common Name: YellowKey
  • Type: Security Feature Bypass (BitLocker)
  • CVSS 3.1 Base Score: 6.8 — rated Important (Medium)
  • Attack Vector: Physical access required
  • Microsoft Exploitation Assessment: Exploitation More Likely
  • Proof-of-Concept: Publicly available (released ~May 13, 2026)

Severity and Risk Context

The vulnerability carries a CVSS 3.1 base score of 6.8 (Medium / Important) — not “critical” as sometimes reported — reflecting the fact that an attacker must have hands-on physical access to the target machine. Nevertheless, Microsoft assessed exploitation as “More Likely,” given that working proof-of-concept (PoC) code was publicly released before any patch was available. The confidentiality, integrity, and availability impact ratings are all classified as High, meaning a successful exploitation gives an attacker complete access to data on the encrypted system drive.

Crucially, systems configured to use a Trusted Platform Module (TPM) chip combined with a startup PIN are protected from this attack. Devices relying on TPM-only authentication — the default for many Windows 11 installations — remain vulnerable until the June patch is applied.

Affected Windows Versions

CVE-2026-45585 affects the following platforms (x64-based systems):

Affected Products
  • Windows 11 Version 24H2 (x64)
  • Windows 11 Version 25H2 (x64)
  • Windows 11 Version 26H1 (x64)
  • Windows Server 2025
  • Windows Server 2025 (Server Core installation)

Note that the scope extends beyond Windows 11 version 24H2 alone — versions 25H2 and 26H1 are equally affected. Windows 10 is not listed among the impacted versions.

Timeline: From Zero-Day Disclosure to Patch

The vulnerability was publicly disclosed around May 13, 2026, by a security researcher known as “Nightmare Eclipse” (also referred to as “Chaotic Eclipse”), who released PoC exploit code before notifying Microsoft — a move the company characterized as a violation of coordinated vulnerability disclosure best practices. Microsoft formally acknowledged the vulnerability and assigned the CVE identifier on May 19–20, 2026.

Rather than waiting for a full security update, Microsoft published a mitigation script on approximately May 20–21, 2026. The script works by mounting the WinRE image, editing its offline SYSTEM registry hive to remove the autofstx.exe entry from the Session Manager’s BootExecute REG_MULTI_SZ value, and resealing WinRE to preserve BitLocker trust. Microsoft noted the script is designed to exit safely if the entry is already absent.

On June 9, 2026 — Patch Tuesday — Microsoft delivered the permanent security update resolving CVE-2026-45585. The fix was confirmed by Microsoft’s Security Response Center (MSRC) on June 10, 2026.

What to Do Now

Recommended Actions
  • Apply the June 2026 security patch immediately. Organizations and individual users running affected Windows 11 or Windows Server 2025 versions should install the June 9, 2026 update without delay.
  • No need to revert the mitigation script. If you previously ran Microsoft’s interim mitigation script to remove autofstx.exe from WinRE, you do not need to undo those changes. The mitigation remains valid guidance alongside the patch.
  • Consider enabling TPM+PIN. For high-risk environments — especially organizations where devices travel or could be physically accessed by unauthorized parties — switching BitLocker from TPM-only to TPM+PIN mode provides an additional layer of defense.
  • Restrict physical access. Until patched, prioritizing physical security of devices is essential, particularly for portable endpoints handling sensitive data.

Microsoft’s Statement on Disclosure

Microsoft publicly criticized the premature release of the PoC code, stating in its MSRC advisory: “The proof of concept for this vulnerability has been made public, violating coordinated vulnerability best practices.” The incident is part of a broader wave of Windows zero-day disclosures attributed to the same researcher, who has also published PoC code for other unpatched flaws including a privilege escalation vulnerability dubbed “GreenPlasma.”

The June 2026 Patch Tuesday is the largest in the history of the Patch Tuesday program, addressing 198 CVEs in total — including six zero-days. Administrators are strongly encouraged to prioritize this update cycle given the public availability of exploit code for multiple vulnerabilities.