Microsoft broke from its regular monthly patch schedule in late May 2026 to push an emergency fix for a vulnerability that can bypass BitLocker, the full-disk encryption tool built into Windows. The flaw, tracked as CVE-2026-45585 and nicknamed “YellowKey” by security researchers, affects Windows 11 and Windows Server 2025. It carries a CVSS 3.1 base score of 6.8, placing it in the medium-severity range, but the real-world stakes are higher than that number suggests: BitLocker protects entire drives, not individual files, so a successful bypass could expose everything from login credentials to regulated business records.
Out-of-band patches are rare. Microsoft typically reserves them for threats serious enough that waiting for the next Patch Tuesday would leave too many systems exposed for too long. That decision alone tells security teams something important about how Microsoft views this risk.
What the vulnerability record confirms
The National Vulnerability Database, maintained by the National Institute of Standards and Technology, has formally cataloged CVE-2026-45585. The CVSS score of 6.8 was not assigned by an outside researcher. It came from Microsoft itself, acting as the CVE Numbering Authority, which means the company acknowledged the severity before the record went public.
According to the NVD entry’s change history, the affected products are specific and current: Windows 11 versions 24H2, 25H2, and 26H1 on 64-bit hardware, plus Windows Server 2025. That list covers Microsoft’s newest consumer and enterprise releases. Older versions, including Windows 10 and earlier Server editions, do not appear in the affected-product entries.
The score reflects a real but bounded attack surface. A CVSS 6.8 with the vector characteristics listed in the record typically means an attacker needs some form of physical or adjacent access rather than a simple remote exploit. In practical terms, think of a stolen laptop, an unattended workstation, or a malicious insider rather than someone halfway around the world breaking in over the internet.
That distinction matters, but it should not breed complacency. BitLocker exists precisely to protect data when a device falls into the wrong hands. A bypass that works in physical-access scenarios undermines the core promise of the tool.
What is still unknown
The NVD entry does not include a technical description of how the bypass works. Security researchers have circulated the YellowKey label in public discussion, but no official Microsoft advisory or NIST document uses that name. Whether the flaw targets the Trusted Platform Module handshake, the BitLocker recovery key process, or another component of the encryption stack has not been disclosed.
It is also unclear whether anyone has exploited CVE-2026-45585 in real-world attacks. The NVD listing does not flag it as actively exploited, and no public report from Microsoft or any government cybersecurity agency has confirmed in-the-wild incidents. The emergency patch cadence raises the question of whether Microsoft had internal evidence of active targeting, but that inference cannot be verified from available documentation.
No public proof-of-concept or exploit writeup has surfaced either, which limits independent assessment. Researchers cannot yet evaluate how difficult the attack is to execute or whether it could be chained with other vulnerabilities to enable remote exploitation. Those answers will likely emerge as the security community reverse-engineers the patch binary, but that work takes time.
For context, BitLocker bypasses are not unprecedented. At the Chaos Communication Congress in late 2024, a researcher demonstrated how a cheap device could sniff TPM communications on certain older hardware to extract BitLocker keys. That attack required specific hardware configurations and sustained physical access. Whether YellowKey is similar in scope or represents a fundamentally different class of bypass remains an open question.
Who is affected and why it matters
BitLocker ships with Windows Pro, Enterprise, and Education editions, and Microsoft has increasingly enabled it by default on newer devices. Many users do not realize their drives are encrypted because BitLocker runs silently in the background, especially on machines that shipped with Windows preinstalled. That means the pool of affected systems is likely larger than many people assume.
For organizations, the implications extend beyond data exposure. BitLocker is a cornerstone of compliance frameworks that require encryption of data at rest. Healthcare providers subject to HIPAA, financial firms under SEC and FINRA rules, and government contractors bound by CMMC all rely on BitLocker to satisfy regulatory requirements. A confirmed bypass does not just create a security gap; it creates a compliance gap that auditors and regulators will expect to see addressed.
The NVD entry also links to NIST’s National Checklist Program, which provides configuration baselines that agencies and enterprises use to harden Windows deployments. Those baselines have not yet been updated to reflect CVE-2026-45585, so organizations that rely on NIST checklists will need to treat the vendor patch as their primary mitigation for now.
What to do right now
Home users: If you are running Windows 11 24H2 or newer on a 64-bit system, open Settings, navigate to Windows Update, and check for the emergency patch. Install it as soon as it appears. You do not need to know whether BitLocker is active on your device; applying the update addresses the underlying flaw regardless.
Small and midsize businesses: Inventory your Windows 11 and Windows Server 2025 machines. Verify which ones have BitLocker enabled (the manage-bde -status command in an elevated command prompt will show encryption status for each volume). Before applying the patch, confirm that BitLocker recovery keys are backed up to Azure AD, Active Directory, or another secure location. Unexpected boot issues after patching are rare but recoverable only if you have those keys.
Enterprise and government teams: Import CVE-2026-45585 into your vulnerability management platform, correlate it with asset inventories, and prioritize systems that store sensitive or regulated data. Where possible, push the patch through centrally managed update tools like WSUS or Intune to shrink the exposure window. Monitor Microsoft’s Security Response Center and the NVD for updated advisories that may clarify exploitation status or provide additional hardening steps.
How to weigh what comes next
The confirmed facts justify immediate action: a verified CVE, a medium-severity CVSS score assigned by Microsoft itself, a narrow but current list of affected products, and an out-of-band patch that signals the vendor’s own urgency. Everything beyond those facts, including the YellowKey nickname, the specific bypass mechanism, and claims about active exploitation, remains unconfirmed and should be treated accordingly.
That does not mean the unconfirmed details are wrong. It means the responsible move is to patch now, back up recovery keys, and watch official channels for updates rather than reacting to speculation. The security community will almost certainly publish technical analyses of the patch in the coming weeks, and those will clarify how serious the threat really is. Until then, the evidence supports urgency without panic.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
