Summarize with:

Share
Microsoft has now closed the patch gap for CVE-2026-45585, the public BitLocker bypass widely referred to as YellowKey. The immediate headline is not simply that Microsoft fixed a vulnerability. The more important operational point is that Microsoft changed its June 2026 Windows delivery model and pushed a baseline update instead of a hotpatch because the issue was already public.
That makes this a practical defender story on June 14, 2026, not just a disclosure recap from May. If your team treated the interim mitigation as the main answer, this week is when you need to move from workaround thinking to durable remediation across Windows fleets that rely on BitLocker for device data protection.
Microsoft’s June 9 support note says the June 2026 Windows security update was delivered as a baseline update instead of a hotpatch after the public disclosure of CVE-2026-45585, and that devices require a restart to complete installation.
Microsoft then added a second important clarification in the Windows message center on June 11, 2026:
That combination matters because it tells defenders exactly where the situation stands now:
YellowKey does not look like the usual remote perimeter story, and that is exactly why some teams may underestimate it.
The bug targets BitLocker, which many organizations treat as a foundational encryption control for laptops and other Windows endpoints. NVD reflects Microsoft’s warning that proof-of-concept code was made public before the security update was ready, and that Microsoft issued mitigation guidance first while the permanent fix was still pending.
In practice, that changes the risk conversation. A vulnerability that needs physical access can still be high value when the affected control is the mechanism supposed to protect data after loss, theft, travel seizure, disposal mistakes, or temporary adversary access to a device.
That is why this issue should sit partly in incident response and asset assurance, not only in standard patch reporting.
The core operational lesson is simple: hotpatch-friendly estates still had to fall back to a baseline month because of YellowKey.
That creates three common failure modes:
Microsoft’s mitigation guidance was useful, but Microsoft is now clearly saying the June update resolves the CVE. A mitigation is a bridge, not closure.
Baseline delivery means patch success is not just about approval state in tooling. Systems need the restart path completed. If a device is still sitting in a deferred reboot state, you should not treat it as fully remediated.
If the organization had portable endpoints with sensitive data and relied on BitLocker as the main protection during the window between public disclosure and June 9, there is a real validation task here. That does not mean compromise happened. It means the right question is whether your protection assumptions held during that gap.
Do not stop at the interim mitigation. Microsoft has confirmed the June update fixes CVE-2026-45585.
Because this month was shipped as a baseline, systems that have downloaded or staged the update but not rebooted should remain on the short list.
Microsoft’s Windows message center says the mitigation script remains part of the guidance and does not need to be reverted.
Executives, traveling staff, developers with privileged access, field laptops, contractor devices, and any endpoint carrying sensitive offline data deserve priority review.
If there are devices that cannot be restarted promptly or are operationally pinned to deferred maintenance windows, document them as a live exception instead of letting them disappear inside aggregate compliance numbers.
YellowKey is a good example of how zero-day pressure changes normal Windows servicing assumptions.
The timeline matters:
That sequence tells defenders something useful: when a vulnerability hits a trust anchor like BitLocker, even organizations optimized for low-friction Windows patching may need to absorb a heavier operational move. The danger is not only the bug itself. It is the false confidence that comes from assuming interim mitigations and patch telemetry mean the same thing.
No. As of June 9, 2026, Microsoft has a patch in the June security baseline, and by June 11, 2026 Microsoft explicitly said the update includes a resolution for CVE-2026-45585.
Because Microsoft is signaling that the public disclosure changed the servicing path. Baseline months require a restart, which creates operational lag if teams focus only on update approval rather than completed remediation.
Microsoft’s Windows message center says the mitigation script remains part of the guidance and does not need to be reverted.
Patch, reboot, and validate. If your organization depended on BitLocker to protect sensitive endpoint data, do not count YellowKey as closed until restart-backed June baseline deployment is complete.
Written by
Research
A DevOps engineer and cybersecurity enthusiast with a passion for uncovering the latest in zero-day exploits, automation, and emerging tech. I write to share real-world insights from the trenches of IT and security, aiming to make complex topics more accessible and actionable. Whether I’m building tools, tracking threat actors, or experimenting with AI workflows, I’m always exploring new ways to stay one step ahead in today’s fast-moving digital landscape.
Get the latest cybersecurity insights in your inbox.
vulnerabilityGitea Docker flaw turns a trusted proxy header into account takeover Gitea has fixed a critical authentication bypass in its official Docker images that could l...
vulnerabilityU-Boot FIT signature flaws expose a fragile pre-OS trust boundary Firmware security company Binarly has disclosed six vulnerabilities in U-Boot's FIT signature...
vulnerabilityMicrosoft Defender RoguePlanet fix closes a SYSTEM-level escalation path Microsoft has released a fix for CVE-2026-50656, the Microsoft Defender vulnerability p...