Microsoft Issues CVE-2026-45585 Workarounds for BitLocker Bypass as YellowKey Patch Remains Under Review
Updated
Updated · Computerworld · May 21
Microsoft Issues CVE-2026-45585 Workarounds for BitLocker Bypass as YellowKey Patch Remains Under Review
4 articles · Updated · Computerworld · May 21
Microsoft told customers to apply temporary mitigations for YellowKey, a zero-day flaw that can bypass BitLocker on Windows devices, while it evaluates whether and how to issue a full patch.
Physical access is required to exploit CVE-2026-45585, making device control the main defense; Microsoft and outside experts urged audits, Secure Boot customization, firmware checks and tighter policies for unattended laptops.
A public proof of concept is already available, and experts said attacks may leave little visible evidence unless malware is planted, raising risks for companies with sensitive data stored locally on mobile devices.
Will Dormann said Microsoft's workaround may itself be bypassable, and analysts warned a permanent fix could be slow if the vulnerable behavior is tied to Windows design or manufacturing functions.
Microsoft's fix for the YellowKey flaw is reportedly bypassable. Are official security guides creating a false sense of safety?
BitLocker can be bypassed with a USB stick. Is full-disk encryption no longer a reliable protection for sensitive data?