Skip to main content

Microsoft Windows EUVDEUVD-2026-31006

| CVE-2026-45585 MEDIUM
Command Injection (CWE-77)
2026-05-20 secure@microsoft.com GHSA-2h24-8rjh-qgjv
6.8
CVSS 3.1 · NVD
Temporal: 6.3
Share

Severity by source

NVD PRIMARY
6.8 MEDIUM
AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CIRCL (temporal)
6.3 MEDIUM
cvss

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Physical
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
May 20, 2026 - 00:29 vuln.today

DescriptionCVE.org

Microsoft is aware of a security feature bypass vulnerability in Windows publicly referred to as "YellowKey". The proof of concept for this vulnerability has been made public violating coordinated vulnerability best practices. We are issuing this CVE to provide mitigation guidance that can be implemented to protect against this vulnerability until the security update is made available.

AnalysisAI

Windows security feature bypass, publicly dubbed 'YellowKey', exposes systems to full confidentiality, integrity, and availability compromise via command injection (CWE-77) requiring only physical access - no credentials or user interaction needed. A proof-of-concept was released publicly prior to patch availability, violating coordinated disclosure norms, which lowers the attacker skill bar significantly. No vendor-released patch exists at time of analysis; Microsoft has confirmed the issue and is preparing a security update.

Technical ContextAI

CWE-77 (Improper Neutralization of Special Elements used in a Command) indicates that some Windows interface - likely a pre-boot environment, locked-screen shell, recovery console, or accessible diagnostic utility - fails to sanitize special characters, allowing injected OS commands to execute with elevated or system-level privilege. The CVSS vector AV:P (Physical) confirms exploitation requires hands-on access to the hardware, while PR:N and AC:L indicate no credentials are needed and the injection point is trivially reachable once physical presence is established. The 'security feature bypass' classification suggests the command injection is used to circumvent a protective mechanism such as Secure Boot enforcement, Windows Defender credential guard, disk encryption lock, or a kiosk-mode restriction, rather than being a standalone RCE class on a normally running system. Affected CPE strings are not enumerated in the available intelligence; consult the MSRC advisory for exact product and version scoping.

RemediationAI

No vendor-released patch is available at time of analysis - Microsoft's advisory language explicitly states mitigation guidance is being issued 'until the security update is made available.' Monitor https://msrc.apple.com/update-guide/vulnerability/CVE-2026-45585 and Microsoft's Patch Tuesday release cycle for the forthcoming fix, and apply it immediately upon release. In the interim, enforce strict physical access controls as the primary compensating measure: restrict physical access to Windows endpoints to authorized personnel only, and treat unattended device scenarios (hotels, open offices, shared kiosks) as elevated risk. Enable BitLocker with a pre-boot PIN (not TPM-only) to require a secret for device access before Windows loads, limiting attack surface on the interface likely targeted by YellowKey - trade-off is user friction at boot. Configure BIOS/UEFI with an administrator password and disable booting from external media to prevent circumvention via live OS. Enable Secure Boot and verify TPM-based attestation is active. For shared or kiosk Windows deployments, evaluate whether devices can be physically secured (cable locks, locked enclosures) or temporarily taken offline until the patch is available. Do not rely on software-layer mitigations alone given the physical-access attack vector.

Share

EUVD-2026-31006 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy