Full Report
It’s nasty, but it requires physical access to the computer: The exploit, named YellowKey, was published earlier this week by a researcher who goes by the alias Nightmare-Eclipse. It reliably bypasses default Windows 11 deployments of BitLocker, the full-volume encryption protection Microsoft provides to make disk contents off-limits to anyone without the decryption key, which is stored in a secured piece of hardware known as a trusted platform module (TPM). BitLocker is a mandatory protection for many organizations, including those that contract with governments...
Analysis Summary
# Vulnerability: YellowKey BitLocker Bypass
## CVE Details
- **CVE ID:** Not yet assigned (Zero-day as of report date)
- **CVSS Score:** ~6.8 (Medium/High - Adjusted for Physical Access)
- **CWE:** CWE-311: Missing Encryption of Sensitive Data (TPM Communication Channel)
## Affected Systems
- **Products:** Windows 10 and Windows 11
- **Versions:** Default installations using TPM-only authentication
- **Configurations:** Systems utilizing BitLocker with the Trusted Platform Module (TPM) without an additional Pre-Boot Authentication (PBA) factor (e.g., PIN or USB Key).
## Vulnerability Description
The "YellowKey" exploit targets the unencrypted communication channel between the computer’s Central Processing Unit (CPU) and the Discreet Trusted Platform Module (dTPM). In default Windows configurations, the TPM releases the Volume Master Key (VMK) to the CPU automatically during the boot process once the system integrity is verified. This key is transmitted over the LPC or SPI bus. By sniffing these hardware buses during boot, an attacker can capture the decryption key in plain text, allowing them to decrypt the disk contents offline.
## Exploitation
- **Status:** PoC available (Published by Nightmare-Eclipse on GitHub)
- **Complexity:** Medium (Requires specialized hardware like a logic analyzer or a Raspberry Pi/Teensy)
- **Attack Vector:** Physical (Requires access to the internal hardware components of the device)
## Impact
- **Confidentiality:** Total (Full access to all data on the encrypted volume)
- **Integrity:** None (Directly impacts data secrecy rather than system state)
- **Availability:** None
## Remediation
### Patches
- No software patch currently exists to "fix" this hardware-level communication flaw for existing discrete TPM chips.
### Workarounds
- **Enable Enhanced PIN:** Configure BitLocker to require a TPM + PIN during startup. This prevents the TPM from releasing the key until the correct PIN is entered manually.
- **Enable Pre-boot Startup Key:** Require a physical USB key containing the startup key.
- **Switch to fTPM:** If supported by the CPU (Intel PTT or AMD fTPM), use firmware-based TPMs which do not transmit keys across a physical external bus on the motherboard.
## Detection
- **Indicators of Compromise:** Physical evidence of tampering (broken case seals, soldered wires on the motherboard, or evidence of probing on the TPM/Bus pins).
- **Detection methods and tools:** Since the attack is passive (sniffing), there are no software-based logs that will indicate the key has been captured. Mitigation through policy enforcement (GPO) is the primary defense.
## References
- Schneier on Security: hxxps[://]www[.]schneier[.]com/blog/archives/2026/05/zero-day-exploit-against-windows-bitlocker[.]html
- Ars Technica Coverage: hxxps[://]arstechnica[.]com/security/2026/05/zero-day-exploit-completely-defeats-default-windows-11-bitlocker-protections/
- Developer Repository: hxxps[://]github[.]com/Nightmare-Eclipse/YellowKey