Windows BitLocker Bypassed in Minutes via WinRE: CVE-2026-45585 (YellowKey) — Apply the June Update

A flaw has been disclosed that can defeat "BitLocker," the disk encryption built into Windows, on a lost or briefly unattended PC in just a few minutes. It is tracked as CVE-2026-45585 (nicknamed "YellowKey"). In Japan, JVN (JVNVU#90386605) published an advisory on June 23, 2026, and the U.S. CERT/CC tracks it as VU#226679. Microsoft rates it CVSS 6.8, but it is serious because it breaks the assumption that "encrypted means safe."

The stage is the Windows "Recovery Environment (WinRE)." With a single USB stick and physical access, an attacker can boot the PC into WinRE through a crafted path, slip past the administrator check that should be required, and bypass BitLocker encryption and the password set in UEFI/BIOS. A proof-of-concept (PoC) is already public, and Microsoft fixed it in the June 2026 Windows Update (Patch Tuesday). Affected: Windows 10 / 11, Windows Server 2022 / 2025.

Who is at risk, and what is the damage

This flaw hits an attacker who gets a lost or stolen laptop, or who can touch the device during the few minutes its owner steps away. In security, the trick of quietly operating a device while the owner is absent is called an "Evil Maid" attack. It is not "anyone over the network" — physical access to the device is the prerequisite.

From there, the attacker boots the device from a USB stick into the recovery environment and reads the contents of the encrypted disk, and settings protected by a BIOS password, without impersonating the owner. In the researcher's demonstration, all it took was one USB stick, and the key was reconstructed to unlock the disk within minutes.

The real harm is that "we encrypted it, so we're fine" no longer holds. A lost corporate device used to be filed as "contents protected by BitLocker → limited impact." If this flaw succeeds, a single lost or stolen machine can give up stored customer data, design files, and even saved logins to internal systems. For individuals, it means the photos, documents, and passwords on a stolen laptop are at risk even through encryption. That is why the update and settings review below matter.

Attacks aimed at this "boot-time entrance" have grown lately. We have also covered a flaw that bypasses Secure Boot (the mechanism that only lets a genuine OS start). The very first thing a PC runs is both the foundation of its defenses and an attractive way in for attackers.

What is happening, technically

The key is the Windows Recovery Environment (WinRE), a special boot mode for repairing a Windows that won't start, which comes up through a different path than normal Windows. Per CERT/CC's VU#226679, that alternate boot path into WinRE does not consistently apply the UEFI/BIOS security checks that hold during a normal OS boot, and because the "BootNext" variable that directs boot order is not authenticated, the firmware password can be slipped past.

The BitLocker bypass extends from this. In the published technique, the device is forced into WinRE via a crafted boot option, a missing access-control check is abused to open a command prompt, and the values held by the "TPM" security chip (the PCRs) are read to reconstruct the disk encryption key. A variant that hides in the early-running "BootExecute" mechanism has also been reported. The whole sequence reportedly completes in under two minutes, and the only tool needed is a USB stick.

This is not purely a Windows matter; it also involves how the PC's firmware (UEFI/BIOS) is built. In CERT/CC's coordination, AMI, Insyde, Intel, and Supermicro are listed as fixed or not affected, while GIGABYTE is affected and reportedly judged it a "design trade-off." So after applying the Windows update, it is safest to also check your model's firmware-side status.

Confirmed vs. things to note

What to do now

The top priority is to apply the June 2026 Windows monthly update. Following Microsoft's update guide (CVE-2026-45585), confirm Windows Update is fully current. Once it is, the flaw itself is closed.

On top of that, settings that strengthen encryption help. Setting BitLocker to "TPM + PIN" (requiring a PIN at boot) means that even if a similar technique appears, an attacker who doesn't know the PIN can't get the key. The pre-patch mitigations Microsoft suggested included temporarily disabling the recovery environment (reagentc /disable from an elevated prompt), requiring administrator authentication at boot, and restricting booting from USB media or the EFI System Partition. If you manage many devices, review the June update's rollout status and revise your lost/stolen-device procedures so they no longer assume "encrypted means safe." Finally, basic device handling — reducing physical carry-off and unattended exposure — reliably blunts this class of attack.

Summary

CVE-2026-45585 (YellowKey) abuses the Windows recovery environment WinRE to defeat BitLocker disk encryption and the UEFI/BIOS password in minutes, with physical access and a single USB stick. Its CVSS is 6.8, but it cannot be brushed off because it breaks the premise that "encryption keeps a lost or stolen device safe." Microsoft fixed it in the June 2026 Patch Tuesday, so applying that update is the key step.

Also consider moving BitLocker to TPM + PIN and tightening physical device management. Protecting "the very first thing a PC runs" is what makes encryption truly meaningful.

References

• ・JVN — JVNVU#90386605 (WinRE bypass of UEFI/BIOS password)
• ・CERT/CC — VU#226679
• ・Microsoft MSRC — CVE-2026-45585
• ・Help Net Security — YellowKey mitigation
• ・BleepingComputer — BitLocker zero-day, PoC released
• ・Related: Secure Boot bypass flaw (this site)