CVE-2026-45585
Analyzed Analyzed - Analysis Complete
Windows "YellowKey" Security Feature Bypass Vulnerability

Publication date: 2026-05-20

Last updated on: 2026-05-22

Assigner: Microsoft Corporation

Description
Microsoft is aware of a security feature bypass vulnerability in Windows publicly referred to as "YellowKey". The proof of concept for this vulnerability has been made public violating coordinated vulnerability best practices. We are issuing this CVE to provide mitigation guidance that can be implemented to protect against this vulnerability until the security update is made available. Mitigation FAQs Should I leverage the temporary mitigation? Microsoft recommends that you consider implementing these mitigations if you are concerned your devices and data are at risk of being compromised or stolen. For example, if your organization’s employees take their work devices home or on business travel. What impact to service availability/management could be caused by implementing the mitigations? Implementing these mitigations will not impact service availability or management operations. Do customers need to revert the changes made to mitigate the vulnerability once the security update to protect against this vulnerability is available? No. The security update will maintain the mitigation's behavior once the security update is installed. I am using TPM+PIN, am I at risk of this vulnerability being exploited No, if you are using TPM+PIN the vulnerability is not exploitable.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-20
Last Modified
2026-05-22
Generated
2026-06-09
AI Q&A
2026-05-20
EPSS Evaluated
2026-06-08
NVD
CVE-2026-45585
EUVD
EUVD-2026-31006
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
microsoft windows_server_2025 *
microsoft windows_11_24h2 *
microsoft windows_11_26h1 *
microsoft windows_11_25h2 *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-45585 is a security feature bypass vulnerability in Microsoft Windows, publicly known as "YellowKey".

This vulnerability allows an attacker to bypass certain security features in Windows, potentially undermining the system's protections.

A proof of concept for this vulnerability has been made public, which violates coordinated vulnerability disclosure best practices.

Microsoft has issued this CVE to provide mitigation guidance until a security update is available.

Impact Analysis

This vulnerability can have a significant impact as it allows bypassing of security features in Windows.

According to the CVSS v3.1 score, it has a base score of 6.8, indicating a high level of severity.

The impact includes potential compromise of confidentiality, integrity, and availability of affected systems.

Mitigation Strategies

Microsoft has issued mitigation guidance that can be implemented to protect against the YellowKey security feature bypass vulnerability until a security update is available.

Specific mitigation steps or commands are not detailed in the provided resources.

Compliance Impact

The provided information does not specify how the YellowKey security feature bypass vulnerability directly affects compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

Detection of the YellowKey vulnerability involves checking for the presence of the exploit components on the system or attached USB drives, specifically the presence of a folder named FsTx in the "System Volume Information" directory or on the EFI partition.

One approach is to inspect USB drives or EFI partitions for the suspicious FsTx folder that is used to trigger the exploit.

Since the exploit requires booting into the Windows Recovery Environment (WinRE) and triggering a key combination, monitoring for unusual boot sequences or unexpected shell access during recovery mode could also indicate exploitation attempts.

Specific commands to detect the presence of the exploit folder on a USB drive or EFI partition might include:

  • On Windows, use PowerShell to list contents of the System Volume Information directory on removable drives: `Get-ChildItem -Path "E:\System Volume Information\FsTx" -Recurse` (replace E: with the USB drive letter).
  • On Linux or Windows Subsystem for Linux (WSL), mount the USB drive or EFI partition and run: `ls -la /mnt/usb/System\ Volume\ Information/FsTx` to check for the folder.

Note that the vulnerability affects Windows 11 and Windows Server 2022/2025 systems, so detection efforts should focus on these platforms.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45585. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart