YellowKey BitLocker / WinRE bypass — CVE formally assigned 2026-05-19; MSRC WinRE BootExecute mitigation; no patch

cve · CVE-2026-45585

Coverage timeline

first 2026-05-20 → last 2026-05-20

Briefs

1 distinct

Sources cited

7 hosts

Sections touched

updates

Co-occurring entities

see Related entities below

Story timeline

2026-05-20CTI Daily Brief — 2026-05-20
updatesUPDATE: CVE formally assigned (prior coverage 2026-05-15 had no CVE); MSRC published interim WinRE registry mitigation; remains exploit-code-maturity E:P / RL:W

Where this entity is cited

updates1

Source distribution

bleepingcomputer.com2 (25%)
msrc.microsoft.com1 (12%)
security-hub.ncsc.admin.ch1 (12%)
thehackernews.com1 (12%)
therecord.media1 (12%)
theregister.com1 (12%)
threatlocker.com1 (12%)

Related entities

Microsoft DCU disrupts Fox Tempest MSaaS — 1,000+ Artifact Signing certs revoked; SDNY court order; downstream Rhysida, INC, Qilin, Akira + Vanilla Tempest, Storm-0501 / 2561 / 0249
incidentitem:microsoft-dcu-disrupts-fox-tempest-malware-signing-as-a-servi×1
Microsoft MDASH — multi-model agentic vulnerability-discovery harness, 16 Windows CVEs found in network-stack kernel components
toolresearch:microsoft-mdash-2026×1
UPDATE: Chaotic Eclipse Windows zero-days — MiniPlasma is third PoC (cldflt.sys CfAbortHydration, claimed CVE-2020-17103 regression on fully patched Win11)
campaignitem:windows-zero-day-proliferation-yellowkey-greenplasma-minipla×1
UPDATE: Grafana Labs CoinbaseCartel — victim confirms source-code-only theft via Pwn-Request, no customer data, ransom rejected on FBI guidance
incidentitem:grafana-labs-coinbasecartel-pwn-request-github-actions-breac×1
UPDATE: TeamPCP / Shai-Hulud — first copycat wave (OX Security npm packages w/ Phantom Bot + SSH/cloud stealers); Checkmarx Jenkins plugin trojanised (third in three months); SentinelLabs PCPJack rival worm
campaignitem:teampcp-shai-hulud-copycat-wave-ox-security-checkmarx-pcpja×1

External references

NVD · cve.org · CISA KEV

All cited sources (8)

Items in briefs about YellowKey BitLocker / WinRE bypass — CVE formally assigned 2026-05-19; MSRC WinRE BootExecute mitigation; no patch (1)

UPDATE: CVE-2026-45585 (YellowKey) — Microsoft formally assigns CVE and publishes WinRE mitigation

From CTI Daily Brief — 2026-05-20 · published 2026-05-20 · view item permalink →

UPDATE (originally covered 2026-05-15): Microsoft formally assigned CVE-2026-45585 to the BitLocker / WinRE bypass disclosed by "Nightmare Eclipse" on 2026-05-12 and confirmed there is still no security update. The MSRC update guide entry, published 2026-05-19, classifies it as CWE-77 (command injection in BitLocker / Windows Recovery Environment), CVSS 6.8 (AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), with exploit-code maturity rated E:P (proof-of-concept) and remediation level RL:W (workaround only).

Microsoft's interim mitigation requires per-endpoint work on every device using TPM-only BitLocker (no PIN / password protector): mount the WinRE image, remove the autofstx.exe entry from the BootExecute registry value inside the WinRE image, commit the image, then re-establish BitLocker trust for WinRE. The MSRC FAQ states: "A successful attacker could bypass the BitLocker Device Encryption feature on the system storage device. An attacker with physical access to the target could exploit this vulnerability to gain access to encrypted data."

Practically: for fleets at scale (Swiss federal admin, cantonal endpoints, classified Windows devices), the more durable hardening is to add a BitLocker PIN or password protector rather than relying solely on TPM-only. The WinRE registry edit is fragile and breaks on Windows feature updates that re-stage the WinRE image; the PIN/password protector closes the exposure regardless of WinRE state.