A security researcher going by the GitHub handle Nightmare-Eclipse disclosed a potentially nasty BitLocker bypass in Windows 11 earlier this month. Dubbed YellowKey, the exploit allows an attacker to read the contents of a BitLocker-encrypted drive by abusing standard behavior of the Windows Recovery Environment.
Nightmare-Eclipse adds that, as far as their testing is concerned, the vulnerability only appears to be present in Windows 11. The security researcher describes it as “one of the most insane discoveries I ever found.”
This week Microsoft acknowledged the vulnerability, and criticised the public sharing of the YellowKey proof of concept, saying this violates “coordinated vulnerability best practices.” The company has since designated the vulnerability CVE-2026-45585, and provided some mitigation guidance, but the BitLocker bypass remains unpatched at time of writing. That said, the fact this attack requires physical access to a targeted device offers some amount of mitigation in itself.
Cybersecurity firm Eclypsium breaks the vulnerability down in a recent blog post, explaining YellowKey works by leveraging the Windows Recovery Environment to “grant a fully unlocked command shell against drives that the operating system continues to treat as encrypted.” In theory, all that would be needed to launch the attack would be “a stolen Windows 11 laptop and a USB stick.”
The company also elaborates that the vulnerability doesn’t appear to be present in Windows 10 because “the responsible WinRE component behaves differently in that codebase.” Beyond that, it adds, “The vulnerable filesystems on the attacker-supplied media include NTFS, FAT32, and exFAT, which removes any meaningful constraint on how the payload is staged.”
(Image credit: Getty images – Rapeepong Puttakumwong)
Nightmare-Eclipse theorises the bypass is more of a backdoor. “The component that is responsible for this bug is not present anywhere (even in the internet) except inside WinRE image.” They explain, “And what makes it raise suspicions is the fact that the exact same component is also present with the exact same name in a normal Windows installation but without the functionalities that trigger the BitLocker bypass issue.”
Microsoft has not confirmed this theory, referring to the issue as “a security feature bypass vulnerability”. As you might already suspect, it is far from the only vulnerability uncovered in Windows 11 this year. Just last month, another security researcher warned how the new and improved Recall could be leveraged by bad actors. As if I needed another reason to be wary of AI integration.
It’s not just AI features proving a security headache though, with the newest and improv-iest version of Notepad finding itself with a remote code execution vulnerability. At the very least, remote code execution is not something you have to worry about with the YellowKey BitLocker bypass. It’s a slim win, but I’m sure someone at Microsoft will take it.
