Severity by source
Sources disagree (Medium–Critical)AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.
CVSS VectorVendor: microsoft
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Protection mechanism failure in Windows BitLocker allows an unauthorized attacker to bypass a security feature with a physical attack.
AnalysisAI
BitLocker's protection mechanism on Windows fails to enforce a critical authentication or verification step, permitting a physically present attacker to bypass full-disk encryption without credentials, a recovery key, or elevated privileges. Despite a CVSS score of 6.8 (Medium) - moderated by the physical access requirement - the impact ratings are High across confidentiality, integrity, and availability, meaning successful exploitation grants complete access to encrypted data and the underlying system. No public exploit has been identified at time of analysis, and Microsoft has released a patch via the MSRC update guide.
Technical ContextAI
Windows BitLocker is Microsoft's built-in full-volume encryption technology, designed to protect data at rest on Windows devices by encrypting the entire drive and requiring authentication (TPM, PIN, recovery key, or combination) to unlock it at boot. CWE-306 (Missing Authentication for Critical Function) identifies the root cause class: a critical security gate - specifically the protection mechanism enforcing BitLocker's access controls - is missing or bypassable, allowing an unauthorized actor to circumvent encryption without supplying the required authentication factor. This CWE commonly manifests in BitLocker contexts as inadequate enforcement of pre-boot PIN requirements, exploitable TPM-only unlock paths, or boot-sequence verification steps that can be skipped through physical manipulation (e.g., cold-boot attacks, DMA attacks, or firmware-level bypasses). The CVSS vector AV:P confirms that exploitation requires direct physical presence at the device.
RemediationAI
Microsoft has released a patch addressing CVE-2026-50507; the exact patched Windows version is not independently confirmed from the available data beyond 'patch available from vendor,' so administrators should consult the MSRC advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-50507 for the specific KB article and affected build numbers, then apply the relevant cumulative or security update through Windows Update, WSUS, or SCCM. As compensating controls prior to patching or for defense-in-depth, organizations should enforce BitLocker with a pre-boot PIN or startup key in addition to TPM (rather than TPM-only mode), as this raises the bar for physical attackers - note this adds user friction at every boot cycle. Disabling USB and external boot options in BIOS/UEFI firmware and setting a BIOS/UEFI password prevents attackers from booting alternative OS environments to bypass BitLocker. For high-value or high-mobility devices, enabling Microsoft Entra ID or on-premises remote wipe capabilities ensures data can be rendered inaccessible if a device is confirmed stolen. Physical security controls such as device tracking and cable locks provide additional deterrence against the physical access prerequisite.
More in Windows 10 1607
View allWindows Internet Shortcut Files (.url) contain an external control vulnerability (CVE-2025-33053, CVSS 8.8) that enables
Windows SMB contains an improper access control vulnerability (CVE-2025-33073, CVSS 8.8) enabling authenticated attacker
Active Directory Domain Services contains an elevation of privilege vulnerability that allows authenticated domain users
Microsoft Scripting Engine contains a type confusion vulnerability allowing unauthorized remote code execution over the
Windows CLFS Driver contains an input validation flaw enabling local privilege escalation, yet another CLFS kernel vulne
Windows Ancillary Function Driver for WinSock contains a heap-based buffer overflow enabling local privilege escalation
Windows Shell contains a protection mechanism failure (CVE-2026-21510, CVSS 8.8) that allows unauthenticated remote atta
In IGEL OS before 11, Secure Boot can be bypassed because the igel-flash-driver module improperly verifies a cryptograph
Desktop Window Manager (DWM) in Windows contains a type confusion vulnerability (CVE-2026-21519, CVSS 7.8) that enables
Windows Common Log File System Driver contains another use-after-free for local privilege escalation, the latest in a se
Windows Storage contains an elevation of privilege vulnerability through symlink following that allows authorized attack
Windows Ancillary Function Driver for WinSock contains a use-after-free enabling local privilege escalation through a nu
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35589
GHSA-h7w3-v34v-748v