CVE-2026-45585 Overview
CVE-2026-45585 is a Windows security feature bypass vulnerability publicly tracked as "YellowKey". Microsoft acknowledges the issue and notes that a public proof of concept was released without coordinated disclosure. The advisory is being used to provide mitigation guidance until a security update is available. The vulnerability requires physical access to the target system and can compromise confidentiality, integrity, and availability if exploited. It affects current Windows 11 client builds and Windows Server 2025.
Critical Impact
An attacker with physical access can bypass a Windows security feature, leading to high impact on confidentiality, integrity, and availability on affected hosts.
Affected Products
- Microsoft Windows 11 24H2 (x64)
- Microsoft Windows 11 25H2 (x64)
- Microsoft Windows 11 26H1 (x64)
- Microsoft Windows Server 2025
Discovery Timeline
- 2026-05-20 - CVE-2026-45585 published to the National Vulnerability Database
- 2026-05-20 - Microsoft issues advisory with mitigation guidance, citing public proof of concept
- 2026-05-20 - Last updated in the NVD database
Technical Details for CVE-2026-45585
Vulnerability Analysis
The issue is a security feature bypass in Microsoft Windows referenced publicly as "YellowKey". Microsoft classifies the underlying weakness under [CWE-77] (Improper Neutralization of Special Elements used in a Command). The vulnerability requires the attacker to be physically present at the device and does not require prior authentication or user interaction. Successful exploitation undermines a Windows security boundary, allowing the attacker to influence protected operations on the host.
Microsoft has not yet published a patch. The vendor advisory provides interim mitigation guidance because a proof of concept was released publicly before a coordinated fix was available. The Exploit Prediction Scoring System currently rates the likelihood of near-term exploitation as low, but the public PoC raises operational risk for unattended or kiosk-style endpoints.
Root Cause
The root cause is rooted in improper neutralization of special elements within a command path handled by a Windows component. This allows an attacker with local physical access to manipulate input that the operating system trusts when enforcing a security feature, bypassing the protection. Microsoft has not published low-level technical details pending the patch release.
Attack Vector
Exploitation requires physical access (AV:P) with low complexity and no privileges. An attacker interacts directly with the device — for example, at a locked workstation, kiosk, or laptop — to invoke the affected component and bypass the targeted security feature. The public "YellowKey" proof of concept on GitHub demonstrates the technique. See the Microsoft CVE-2026-45585 Advisory and the GitHub YellowKey Repository for vendor and public references.
Detection Methods for CVE-2026-45585
Indicators of Compromise
- Unexpected logon or unlock events on devices left unattended in public or shared spaces.
- Presence of the public YellowKey tooling, scripts, or related binaries on endpoints.
- Security feature state changes (for example, BitLocker, Credential Guard, or lock screen policies) without a corresponding administrative change ticket.
Detection Strategies
- Monitor Windows event logs for anomalous interactive logons, screen unlocks, and account changes on devices outside normal working hours.
- Hunt for execution of unsigned binaries or scripts referencing YellowKey or its public repository artifacts.
- Correlate physical access telemetry (badge data, camera systems) with endpoint logon and configuration-change events.
Monitoring Recommendations
- Enable Microsoft Defender for Endpoint or equivalent EDR telemetry on all affected Windows 11 24H2, 25H2, 26H1, and Windows Server 2025 hosts.
- Forward Security, System, and Application event logs to a central SIEM and alert on lock screen bypass and rapid successive failed/successful logon patterns.
- Track changes to BitLocker, Secure Boot, and Group Policy security feature settings as high-priority signals.
How to Mitigate CVE-2026-45585
Immediate Actions Required
- Apply the Microsoft security update as soon as it is released through the Microsoft CVE-2026-45585 Advisory.
- Reduce physical exposure of affected endpoints by enforcing secured enclosures, cable locks, and supervised access for kiosks and shared workstations.
- Inventory all Windows 11 24H2/25H2/26H1 and Windows Server 2025 systems to scope remediation.
Patch Information
At the time of publication, Microsoft has not released a security update. The advisory states the CVE was issued to provide mitigation guidance until the security update is available. Administrators should monitor the Microsoft Security Response Center (MSRC) advisory for CVE-2026-45585 and deploy the patch immediately upon release.
Workarounds
- Follow the mitigation guidance published in the Microsoft MSRC advisory for CVE-2026-45585.
- Enforce BitLocker with pre-boot authentication and Secure Boot on portable devices to limit the value of physical access.
- Restrict who can be physically present with sensitive endpoints, and shorten lock screen timeouts to reduce exposure of unattended sessions.
- Disable or remove unused peripherals and external boot capabilities through BIOS/UEFI and Group Policy.
# Example: enforce short inactivity lock and disable removable boot via PowerShell/GPO
# Set inactivity machine lock to 60 seconds
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v InactivityTimeoutSecs /t REG_DWORD /d 60 /f
# Require BitLocker pre-boot PIN (must be configured via manage-bde / GPO)
manage-bde -protectors -add C: -TPMAndPIN
# Restrict USB boot in UEFI and enforce via Group Policy:
# Computer Configuration > Administrative Templates > System > Removable Storage Access
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
