YellowKey is a zero-day security feature bypass vulnerability publicly disclosed in May 2026 by a researcher operating under the alias Nightmare-Eclipse. The vulnerability affects all editions of Windows 11, Windows Server 2022, and Windows Server 2025 in their default BitLocker configuration, where encryption keys are bound to the TPM without a supplemental PIN. A fully functional proof-of-concept is publicly available, making this a low-barrier threat for any adversary with physical access to a target device, and Microsoft has not issued a patch as of the disclosure date.
The vulnerability resides not in BitLocker's cryptographic implementation but in the Windows Recovery Environment, which automatically unlocks the protected volume before launching its recovery interface. An undocumented NTFS transaction replay utility runs inside WinRE at startup and processes log data from removable media or the EFI system partition. An attacker places a crafted directory structure on a USB drive and boots the target into WinRE: the utility replays those logs, which deletes the configuration file controlling which application WinRE launches, causing the recovery environment to instead drop the attacker into an unrestricted command prompt with the encrypted drive already mounted and fully readable.
The full attack takes under two minutes and requires no special hardware beyond a prepared USB drive. Because WinRE auto-unlocks the BitLocker volume as part of its standard startup sequence, the attacker gains read and write access to all protected data without needing the recovery key or any account credentials. The attack does not succeed against configurations that require a PIN or USB key at boot in addition to the TPM, as those modes prevent WinRE from automatically unlocking the volume. Microsoft's workaround removes the vulnerable component from the WinRE image via a registry change, and administrators can further harden endpoints by enforcing a BitLocker pre-boot PIN, setting a UEFI password, restricting boot device order, or disabling WinRE entirely.
Detections (7)
Enable detections →Connect your environment for suggestions and queries personalized to your security telemetry.
- winpeshl.ini Modified Outside Trusted WinRE Servicing
- PowerShell Scanning for System Volume Information FsTx Paths
- EFI Partition Write of System Volume Information FsTx Tree
- USB Volume Mount With Immediate SVI FsTx Write Before Reboot
- Cmd.exe Interactive Shell From WinRE Without BitLocker Recovery Prompt
- BitLocker Volume Accessible in WinRE Without Recovery Key Prompt
