Microsoft is aware of a security feature bypass vulnerability in Windows publicly referred to as "YellowKey". The proof of concept for this vulnerability has been made public violating coordinated vulnerability best practices.
\nWe are issuing this CVE to provide mitigation guidance that can be implemented to protect against this vulnerability until the security update is made available.
\nMitigation FAQs
\nShould I leverage the temporary mitigation?
\nMicrosoft recommends that you consider implementing these mitigations if you are concerned your devices and data are at risk of being compromised or stolen. For example, if your organization\u2019s employees take their work devices home or on business travel.
\nWhat impact to service availability/management could be caused by implementing the mitigations?
\nImplementing these mitigations will not impact service availability or management operations.
\nDo customers need to revert the changes made to mitigate the vulnerability once the security update to protect against this vulnerability is available?
\nNo. The security update will maintain the mitigation's behavior once the security update is installed.
\nI am using TPM+PIN, am I at risk of this vulnerability being exploited
\nNo, if you are using TPM+PIN the vulnerability is not exploitable.
\n","cweList":["CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')"],"cweDetailsListForSearch":["cwe: CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')","cweUrl: https://cwe.mitre.org/data/definitions/77.html"],"unformattedDescription":"Microsoft is aware of a security feature bypass vulnerability in Windows publicly referred to as \"YellowKey\". The proof of concept for this vulnerability has been made public violating coordinated vulnerability best practices.\n \nWe are issuing this CVE to provide mitigation guidance that can be implemented to protect against this vulnerability until the security update is made available. \n\n**Mitigation FAQs**\n\n**Should I leverage the temporary mitigation?**\n\nMicrosoft recommends that you consider implementing these mitigations if you are concerned your devices and data are at risk of being compromised or stolen. For example, if your organization\u2019s employees take their work devices home or on business travel.\n\n**What impact to service availability/management could be caused by implementing the mitigations?**\n\nImplementing these mitigations will not impact service availability or management operations.\n \n**Do customers need to revert the changes made to mitigate the vulnerability once the security update to protect against this vulnerability is available?**\n\nNo. The security update will maintain the mitigation's behavior once the security update is installed. \n\n**I am using TPM+PIN, am I at risk of this vulnerability being exploited**\n\nNo, if you are using TPM+PIN the vulnerability is not exploitable.","mitreText":"CVE-2026-45585","mitreUrl":"https://www.cve.org/CVERecord?id=CVE-2026-45585","publiclyDisclosed":"Yes","exploited":"No","latestSoftwareReleaseId":1,"latestSoftwareRelease":"Exploitation More Likely","olderSoftwareReleaseId":0,"denialOfService":"N/A","tag":"Windows BitLocker","issuingCna":"Microsoft","issuingCnaId":100000001,"severityId":100000001,"severity":"Important","impactId":100000007,"impact":"Security Feature Bypass","langCode":"en-US","baseScore":"6.8","temporalScore":"6.3","vectorString":"CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:W/RC:C","vectorStringSource":"Microsoft","isMariner":false,"customerActionRequired":true,"customerActionRequiredId":1,"cweDetailsList":[{"keys":["cwe","cweUrl"],"values":["CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')","https://cwe.mitre.org/data/definitions/77.html"]}],"articles":[{"title":"Windows BitLocker Security Feature Bypass Vulnerability","articleType":"100000000","description":"Improper neutralization of special elements used in a command ('command injection') in Windows BitLocker allows an unauthorized attacker to bypass a security feature with a physical attack.
\n","ordinal":10000},{"articleType":"FAQ","description":"What kind of security feature could be bypassed by successfully exploiting this vulnerability?
\nA successful attacker could bypass the BitLocker Device Encryption feature on the system storage device. An attacker with physical access to the target could exploit this vulnerability to gain access to encrypted data.
\n","ordinal":10000},{"articleType":"FAQ","description":"Is there a script that I can copy and paste to implement a mitigation?
\nYes. This script is an interim security fix that helps to reduce the risk of exploitation of the vulnerability.
\nThe script is for WinRE and removes autofstx.exe from the BootExecute registry value. Since BootExecute runs programs very early in boot (even in recovery mode), removing this entry prevents that executable from running in a high\u2011privilege environment, reducing risk.
\nIt works by mounting the WinRE image, editing its offline SYSTEM registry to remove the entry if present, then safely committing changes and re\u2011sealing WinRE so BitLocker trust remains intact.
\nIt\u2019s designed to be safe\u2014if the autofstx.exe entry isn\u2019t there, it exits without making changes.
\n.SYNOPSIS\n Removes autofstx.exe from the WinRE BootExecute registry value.\n\n.DESCRIPTION\n This remediation script removes the "autofstx.exe" entry from the BootExecute\n REG_MULTI_SZ value inside the Windows Recovery Environment (WinRE) offline\n SYSTEM registry hive. This is a security fix to prevent autofstx.exe from\n executing during WinRE boot.\n\n The script performs the following steps:\n 1. Verify administrator privileges\n 2. Verify WinRE is enabled\n 3. Mount the WinRE image via reagentc\n 4. Load the offline SYSTEM registry hive\n 5. Read BootExecute and remove autofstx.exe if present\n 6. Unload the offline hive\n 7. Unmount the WinRE image with commit\n 8. Disable and re-enable WinRE to re-seal BitLocker trust chain\n\n Exit 0 = Success (entry removed or not present)\n Exit 1 = Failure (error during remediation)\n\n.PARAMETER MountPath\n Directory to use as the WinRE mount point. Created if it does not exist.\n Default: C:\\Mount\n\n.EXAMPLE\n # Standard run\n .\\Remove-AutoFsTxFromWinRE.ps1\n\n.EXAMPLE\n # Custom mount path\n .\\Remove-AutoFsTxFromWinRE.ps1 -MountPath D:\\mount\n\n.NOTES\n Requirements: Windows with WinRE and reagentc support, Administrator privileges.\n The WinRE disable/enable cycle at the end is required to re-seal the\n BitLocker measurement chain after modifying the WinRE image.\n\n THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\n IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\n FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\n AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\n LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\n OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\n SOFTWARE.\n#>\nparam(\n [Parameter(Mandatory = $false)]\n [string]$MountPath = "C:\\Mount"\n)\n\n# Target entry to remove from BootExecute\n$EntryToRemove = "autofstx.exe"\n\n# Internal constant for the offline hive key name\n$HiveName = "WinREHive"\n\n# State tracking for cleanup\n$hiveLoaded = $false\n$imageMounted = $false\n$mountCreated = $false\n$changesMade = $false\n\nWrite-Host "Remove autofstx.exe from WinRE BootExecute"\n\n# 1. Verify Administrator Privileges\n# PS Version: All | Admin: Yes | System Requirements: None\ntry {\n $identity = [Security.Principal.WindowsIdentity]::GetCurrent()\n $principal = [Security.Principal.WindowsPrincipal]$identity\n $isAdmin = $principal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)\n\n if (-not $isAdmin) {\n Write-Host "[1/8] Administrator check: FAILED" -ForegroundColor Red\n Write-Host " This script must be run as Administrator."\n Write-Host " Right-click PowerShell and select 'Run as administrator'."\n exit 1\n }\n\n Write-Host "[1/8] Administrator check: Passed" -ForegroundColor Green\n} catch {\n Write-Warning "Error checking administrator privileges: $_"\n exit 1\n}\n\n# 2. Check WinRE Status\n# PS Version: All | Admin: Yes | System Requirements: reagentc.exe\ntry {\n $winreOutput = & reagentc /info 2>&1\n if ($LASTEXITCODE -ne 0) {\n Write-Host "[2/8] WinRE status check: FAILED" -ForegroundColor Red\n Write-Warning "reagentc /info returned exit code $LASTEXITCODE"\n exit 1\n }\n $winreOutputStr = $winreOutput -join "`n"\n\n if ($winreOutputStr -notmatch "Windows RE status:\\s+Enabled") {\n Write-Host "[2/8] WinRE status: NOT ENABLED. Exiting." -ForegroundColor Green\n exit 0\n }\n\n Write-Host "[2/8] WinRE status: Enabled" -ForegroundColor Green\n} catch {\n Write-Warning "Error checking WinRE status: $_"\n exit 1\n}\n\n# 3. Mount WinRE Image\n# PS Version: All | Admin: Yes | System Requirements: reagentc.exe\ntry {\n if (-not (Test-Path $MountPath)) {\n New-Item -ItemType Directory -Path $MountPath -Force | Out-Null\n $mountCreated = $true\n Write-Host "[3/8] Created mount directory: $MountPath"\n } else {\n $existing = Get-ChildItem -Path $MountPath -Force -ErrorAction SilentlyContinue\n if ($existing) {\n Write-Host "[3/8] Mount WinRE image: FAILED" -ForegroundColor Red\n Write-Host " Mount directory $MountPath is not empty."\n Write-Host " Clean it or specify a different -MountPath."\n exit 1\n }\n }\n\n $mountOutput = & reagentc /mountre /path $MountPath 2>&1\n if ($LASTEXITCODE -ne 0) {\n Write-Host "[3/8] Mount WinRE image: FAILED" -ForegroundColor Red\n Write-Warning "reagentc /mountre output: $mountOutput"\n exit 1\n }\n\n $imageMounted = $true\n Write-Host "[3/8] WinRE image mounted: $MountPath" -ForegroundColor Green\n} catch {\n Write-Warning "Error mounting WinRE image: $_"\n exit 1\n}\n\n# 4. Load Offline SYSTEM Registry Hive\n# PS Version: All | Admin: Yes | System Requirements: reg.exe\ntry {\n # Locate the SYSTEM hive in the mounted WinRE image\n $hivePath = $null\n $hiveCandidates = @(\n "$MountPath\\Windows\\System32\\config\\SYSTEM",\n "$MountPath\\windows\\system32\\config\\SYSTEM"\n )\n\n foreach ($candidate in $hiveCandidates) {\n if (Test-Path $candidate) {\n $hivePath = $candidate\n break\n }\n }\n\n if (-not $hivePath) {\n # Broader search as fallback\n $found = Get-ChildItem -Path $MountPath -Recurse -Filter "SYSTEM" -ErrorAction SilentlyContinue |\n Where-Object { $_.FullName -match "config\\\\SYSTEM$" } |\n Select-Object -First 1\n\n if ($found) {\n $hivePath = $found.FullName\n }\n }\n\n if (-not $hivePath) {\n Write-Host "[4/8] Load offline hive: FAILED" -ForegroundColor Red\n Write-Warning "Cannot locate SYSTEM hive in mounted WinRE image."\n\n # Cleanup: unmount with discard\n $null = & reagentc /unmountre /path $MountPath /discard 2>&1\n $imageMounted = $false\n exit 1\n }\n\n Write-Host "[4/8] Found SYSTEM hive: $hivePath"\n\n $loadOutput = & reg load "HKLM\\$HiveName" $hivePath 2>&1\n if ($LASTEXITCODE -ne 0) {\n Write-Host "[4/8] Load offline hive: FAILED" -ForegroundColor Red\n Write-Warning "reg load output: $loadOutput"\n\n # Cleanup: unmount with discard\n $null = & reagentc /unmountre /path $MountPath /discard 2>&1\n $imageMounted = $false\n exit 1\n }\n\n $hiveLoaded = $true\n Write-Host "[4/8] Hive loaded as HKLM\\$HiveName" -ForegroundColor Green\n} catch {\n Write-Warning "Error loading offline hive: $_"\n\n if ($imageMounted) {\n $null = & reagentc /unmountre /path $MountPath /discard 2>&1\n $imageMounted = $false\n }\n exit 1\n}\n\n# 5. Read BootExecute and Remove autofstx.exe\n# PS Version: All | Admin: Yes | System Requirements: None\ntry {\n # Determine active ControlSets from Select key\n $selectPath = "Registry::HKEY_LOCAL_MACHINE\\$HiveName\\Select"\n $selectProps = Get-ItemProperty -Path $selectPath -ErrorAction SilentlyContinue\n\n if ($selectProps -and $selectProps.Current) {\n $csNumbers = @($selectProps.Current)\n if ($selectProps.Default -and $selectProps.Default -ne $selectProps.Current) {\n $csNumbers += $selectProps.Default\n }\n $controlSets = $csNumbers | ForEach-Object { "ControlSet{0:D3}" -f [int]$_ }\n Write-Host "[5/8] Active ControlSets (from Select key): $($controlSets -join ', ')"\n } else {\n $controlSets = @("ControlSet001")\n Write-Host "[5/8] Select key not readable, falling back to ControlSet001"\n }\n\n # Remediate all relevant ControlSets\n $foundEntry = $false\n\n foreach ($cs in $controlSets) {\n $regPath = "Registry::HKEY_LOCAL_MACHINE\\$HiveName\\$cs\\Control\\Session Manager"\n $testResult = Get-ItemProperty -Path $regPath -Name "BootExecute" -ErrorAction SilentlyContinue\n\n if (-not $testResult) {\n Write-Host " $cs\\Session Manager\\BootExecute: not found, skipping"\n continue\n }\n\n $currentValue = $testResult.BootExecute\n\n if (-not $currentValue) {\n Write-Host " $cs BootExecute: (empty)"\n continue\n }\n\n # Remove matching entry (case-insensitive)\n $updatedValue = @($currentValue | Where-Object {\n $_ -and\n ($_ -ne $EntryToRemove) -and\n ($_ -notmatch "^\\s*$([regex]::Escape($EntryToRemove))\\s*$")\n })\n\n if ($updatedValue.Count -eq @($currentValue).Count) {\n Write-Host " $cs BootExecute: '$EntryToRemove' not present"\n continue\n }\n\n # Write updated REG_MULTI_SZ back\n Set-ItemProperty -Path $regPath -Name "BootExecute" -Value $updatedValue\n $foundEntry = $true\n\n Write-Host " $cs BootExecute: removed '$EntryToRemove'" -ForegroundColor Green\n\n # Verify the write\n $verifyValue = (Get-ItemProperty -Path $regPath -Name "BootExecute" -ErrorAction Stop).BootExecute\n Write-Host " $cs verification: $($verifyValue -join '; ')"\n }\n\n if (-not $foundEntry) {\n Write-Host "[5/8] '$EntryToRemove' not found in any active ControlSet. No changes needed." -ForegroundColor Green\n\n # Cleanup: unload hive, unmount with discard\n [gc]::Collect()\n Start-Sleep -Seconds 1\n $null = & reg unload "HKLM\\$HiveName" 2>&1\n $hiveLoaded = $false\n $null = & reagentc /unmountre /path $MountPath /discard 2>&1\n $imageMounted = $false\n if ($mountCreated) { Remove-Item -Path $MountPath -Recurse -Force -ErrorAction SilentlyContinue }\n exit 0\n }\n\n $changesMade = $true\n Write-Host "[5/8] Removed '$EntryToRemove' from BootExecute" -ForegroundColor Green\n} catch {\n Write-Warning "Error modifying BootExecute: $_"\n\n # Cleanup: unload hive, unmount with discard\n [gc]::Collect()\n Start-Sleep -Seconds 2\n if ($hiveLoaded) {\n $null = & reg unload "HKLM\\$HiveName" 2>&1\n $hiveLoaded = $false\n }\n if ($imageMounted) {\n $null = & reagentc /unmountre /path $MountPath /discard 2>&1\n $imageMounted = $false\n }\n exit 1\n}\n\n# 6. Unload Offline Registry Hive\n# PS Version: All | Admin: Yes | System Requirements: reg.exe\ntry {\n [gc]::Collect()\n Start-Sleep -Seconds 2\n\n $unloadOutput = & reg unload "HKLM\\$HiveName" 2>&1\n if ($LASTEXITCODE -ne 0) {\n Write-Warning "First unload attempt failed, retrying..."\n [gc]::Collect()\n Start-Sleep -Seconds 3\n $unloadOutput = & reg unload "HKLM\\$HiveName" 2>&1\n if ($LASTEXITCODE -ne 0) {\n Write-Host "[6/8] Unload hive: FAILED" -ForegroundColor Red\n Write-Warning "reg unload output: $unloadOutput"\n Write-Host " Close any Registry Editor windows and retry."\n\n # Try to unmount with discard to avoid leaving image mounted\n $null = & reagentc /unmountre /path $MountPath /discard 2>&1\n $imageMounted = $false\n exit 1\n }\n }\n\n $hiveLoaded = $false\n Write-Host "[6/8] Offline hive unloaded" -ForegroundColor Green\n} catch {\n Write-Warning "Error unloading hive: $_"\n\n $null = & reagentc /unmountre /path $MountPath /discard 2>&1\n $imageMounted = $false\n exit 1\n}\n\n# 7. Unmount WinRE Image with Commit\n# PS Version: All | Admin: Yes | System Requirements: reagentc.exe\ntry {\n if ($changesMade) {\n $unmountOutput = & reagentc /unmountre /path $MountPath /commit 2>&1\n } else {\n $unmountOutput = & reagentc /unmountre /path $MountPath /discard 2>&1\n }\n\n if ($LASTEXITCODE -ne 0) {\n Write-Host "[7/8] Unmount WinRE: FAILED" -ForegroundColor Red\n Write-Warning "reagentc /unmountre output: $unmountOutput"\n\n # Attempt discard as fallback\n if ($changesMade) {\n Write-Host " Attempting discard to avoid leaving image in broken state..."\n $null = & reagentc /unmountre /path $MountPath /discard 2>&1\n }\n $imageMounted = $false\n exit 1\n }\n\n $imageMounted = $false\n\n if ($changesMade) {\n Write-Host "[7/8] WinRE image unmounted and committed" -ForegroundColor Green\n } else {\n Write-Host "[7/8] WinRE image unmounted (no changes)" -ForegroundColor Green\n }\n} catch {\n Write-Warning "Error unmounting WinRE image: $_"\n exit 1\n}\n\n# 8. Re-seal WinRE (Disable + Enable Cycle for BitLocker Trust Chain)\n# PS Version: All | Admin: Yes | System Requirements: reagentc.exe, BitLocker\ntry {\n if (-not $changesMade) {\n Write-Host "[8/8] Re-seal WinRE: Skipped (no changes made)" -ForegroundColor Green\n } else {\n $disableOutput = & reagentc /disable 2>&1\n if ($LASTEXITCODE -ne 0) {\n Write-Warning "reagentc /disable returned non-zero: $disableOutput"\n } else {\n Write-Host " WinRE disabled."\n }\n\n $enableOutput = & reagentc /enable 2>&1\n if ($LASTEXITCODE -ne 0) {\n Write-Host "[8/8] Re-seal WinRE: FAILED" -ForegroundColor Red\n Write-Warning "reagentc /enable output: $enableOutput"\n Write-Host " WinRE may need manual recovery. Run: reagentc /enable"\n exit 1\n }\n\n Write-Host "[8/8] WinRE re-sealed (disable + enable cycle)" -ForegroundColor Green\n }\n} catch {\n Write-Warning "Error during WinRE re-seal: $_"\n Write-Host " Run manually: reagentc /enable"\n exit 1\n}\n\nWrite-Host ""\nWrite-Host " COMPLETE: '$EntryToRemove' removed from WinRE BootExecute" -ForegroundColor Green\n\n# Cleanup: remove mount directory if we created it\nif ($mountCreated -and (Test-Path $MountPath)) {\n Remove-Item -Path $MountPath -Recurse -Force -ErrorAction SilentlyContinue\n}\n\nexit 0```\nInformation published.
\n","unformattedDescription":"Information published.","notificationNeeded":true,"notificationSent":false,"sourceId":"523f460e-1553-f111-93fb-000d3afbc7d7"},{"cveNumber":"CVE-2026-45585","version":1.1,"revisionDate":"2026-05-20T07:00:00-07:00","initialDate":"0001-01-01T00:00:00Z","description":"Updated Step 2 of the first mitigation. This is an informational change only.
\n","unformattedDescription":"Updated **Step 2** of the first mitigation. This is an informational change only.","notificationNeeded":false,"notificationSent":false,"sourceId":"a406e2ea-ab54-f111-93fb-000d3afbc7d7"},{"cveNumber":"CVE-2026-45585","version":1.2,"revisionDate":"2026-05-21T07:00:00-07:00","initialDate":"0001-01-01T00:00:00Z","description":"Added a script to implement a mitigation and removed the manual mitigations. Please read the information to decide if you need to run the provided script.
\n","unformattedDescription":"Added a script to implement a mitigation and removed the manual mitigations. Please read the information to decide if you need to run the provided script.","notificationNeeded":true,"notificationSent":false,"sourceId":"096289f1-d654-f111-93fb-000d3afbc7d7"}]}