A security researcher known on GitHub as Nightmare-Eclipse has disclosed a severe BitLocker bypass in Windows 11, labeling it "one of the most insane discoveries I ever found." Dubbed YellowKey, this exploit allows attackers to access the contents of an encrypted drive by abusing standard behaviors within the Windows Recovery Environment (WinRE).
While the vulnerability poses a significant threat to device security, it is currently limited to Windows 11 systems. Microsoft has acknowledged the issue, assigning it the identifier CVE-2026-45585, though a full patch remains pending as of this writing.
How the YellowKey Exploit Works
Cybersecurity firm Eclypsium recently detailed the mechanics of the YellowKey vulnerability in a comprehensive blog post. The exploit functions by leveraging the Windows Recovery Environment to grant a fully unlocked command shell against drives that the operating system still classifies as encrypted.
In practical terms, the attack vector is surprisingly simple. An attacker would only need:
- A stolen Windows 11 laptop
- A standard USB stick
By booting from the malicious USB, the attacker can bypass the encryption protections that are designed to keep data secure even if the hardware is compromised.
Filesystem Compatibility
One of the most concerning aspects of YellowKey is its broad compatibility with attacker-supplied media. The vulnerable filesystems include:
- NTFS
- FAT32
- exFAT
This wide range of supported formats removes meaningful constraints on how the payload is staged, making the exploit easier to deploy across various scenarios.
Why Only Windows 11?
Despite the severity of the bypass, there is a critical distinction between Windows 10 and Windows 11 regarding this vulnerability. Eclypsium notes that the issue does not appear to affect Windows 10 because the responsible WinRE component behaves differently in that codebase.
Nightmare-Eclipse has theorized that this bypass might actually be a backdoor rather than a simple bug. They point out that the specific component responsible for the bug is not present anywhere else in the internet except inside the WinRE image.
"The exact same component is also present with the exact same name in a normal Windows installation but without the functionalities that trigger the BitLocker bypass issue."
Microsoft has not confirmed this backdoor theory, officially classifying the issue as a "security feature bypass vulnerability."
Microsoft’s Response and Mitigation
This week, Microsoft criticized the public sharing of the YellowKey proof of concept, stating that it violates "coordinated vulnerability best practices." While the company has provided mitigation guidance, the core BitLocker bypass remains unpatched.
However, there is a natural mitigation in place: the attack requires physical access to the targeted device. This limitation significantly reduces the risk for the average user, as it prevents remote exploitation.
A Growing List of Windows 11 Security Concerns
YellowKey is not the only security headwind facing Windows 11 this year. Just last month, another researcher warned how the new Recall feature could be leveraged by bad actors to capture sensitive user data. This highlights the ongoing challenges Microsoft faces with integrating complex AI features into the operating system.
Additionally, recent updates to Notepad introduced a remote code execution vulnerability, further adding to the list of security headaches for Windows 11 users. While the YellowKey bypass does not offer remote code execution capabilities, it remains a potent threat for physical attacks.
For now, users should remain vigilant. While the need for physical access offers some protection, the existence of such a profound encryption bypass in Windows 11 underscores the importance of keeping devices secure and updated as Microsoft works toward a definitive fix.
