Severity by source
AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Microsoft is aware of a security feature bypass vulnerability in Windows publicly referred to as "YellowKey". The proof of concept for this vulnerability has been made public violating coordinated vulnerability best practices. We are issuing this CVE to provide mitigation guidance that can be implemented to protect against this vulnerability until the security update is made available.
AnalysisAI
Windows security feature bypass, publicly dubbed 'YellowKey', exposes systems to full confidentiality, integrity, and availability compromise via command injection (CWE-77) requiring only physical access - no credentials or user interaction needed. A proof-of-concept was released publicly prior to patch availability, violating coordinated disclosure norms, which lowers the attacker skill bar significantly. No vendor-released patch exists at time of analysis; Microsoft has confirmed the issue and is preparing a security update.
Technical ContextAI
CWE-77 (Improper Neutralization of Special Elements used in a Command) indicates that some Windows interface - likely a pre-boot environment, locked-screen shell, recovery console, or accessible diagnostic utility - fails to sanitize special characters, allowing injected OS commands to execute with elevated or system-level privilege. The CVSS vector AV:P (Physical) confirms exploitation requires hands-on access to the hardware, while PR:N and AC:L indicate no credentials are needed and the injection point is trivially reachable once physical presence is established. The 'security feature bypass' classification suggests the command injection is used to circumvent a protective mechanism such as Secure Boot enforcement, Windows Defender credential guard, disk encryption lock, or a kiosk-mode restriction, rather than being a standalone RCE class on a normally running system. Affected CPE strings are not enumerated in the available intelligence; consult the MSRC advisory for exact product and version scoping.
RemediationAI
No vendor-released patch is available at time of analysis - Microsoft's advisory language explicitly states mitigation guidance is being issued 'until the security update is made available.' Monitor https://msrc.apple.com/update-guide/vulnerability/CVE-2026-45585 and Microsoft's Patch Tuesday release cycle for the forthcoming fix, and apply it immediately upon release. In the interim, enforce strict physical access controls as the primary compensating measure: restrict physical access to Windows endpoints to authorized personnel only, and treat unattended device scenarios (hotels, open offices, shared kiosks) as elevated risk. Enable BitLocker with a pre-boot PIN (not TPM-only) to require a secret for device access before Windows loads, limiting attack surface on the interface likely targeted by YellowKey - trade-off is user friction at boot. Configure BIOS/UEFI with an administrator password and disable booting from external media to prevent circumvention via live OS. Enable Secure Boot and verify TPM-based attestation is active. For shared or kiosk Windows deployments, evaluate whether devices can be physically secured (cable locks, locked enclosures) or temporarily taken offline until the patch is available. Do not rely on software-layer mitigations alone given the physical-access attack vector.
Same weakness CWE-77 – Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31006
GHSA-2h24-8rjh-qgjv