Skip to main content

Windows BitLocker EUVDEUVD-2026-35695

| CVE-2026-45655 MEDIUM
Protection Mechanism Failure (CWE-693)
2026-06-09 secure@microsoft.com GHSA-cmfc-3q8r-88w2
Medium
Disputed · 5.3 NVD
Temporal: 4.6
Share

Severity by source

Sources disagree (Medium–Critical)
NVD PRIMARY
5.3 MEDIUM
AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
ENISA EUVD
CRITICAL
qualitative
CIRCL (temporal)
4.6 MEDIUM
cvss

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorNVD

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Physical
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Analysis Generated
Jun 09, 2026 - 19:37 vuln.today
Patch available
Jun 09, 2026 - 19:03 EUVD
CVE Published
Jun 09, 2026 - 17:17 nvd
MEDIUM 5.3

DescriptionNVD

Protection mechanism failure in Windows BitLocker allows an unauthorized attacker to bypass a security feature with a physical attack.

AnalysisAI

BitLocker drive encryption on Windows can be bypassed by a physically present, unauthenticated attacker, exposing protected volume contents with high confidentiality impact. Classified as CWE-693 (Protection Mechanism Failure), the flaw undermines BitLocker's core threat model - data-at-rest protection - across a wide range of Windows 10, Windows 11, and Windows Server releases from 2012 through 2025. No public exploit has been identified at time of analysis, and Microsoft has released patches for all affected versions; however, the physical access requirement means organizations with mobile or physically accessible systems should treat this as a higher operational priority than the CVSS score alone implies.

Technical ContextAI

BitLocker is Microsoft's full-volume encryption feature designed to protect data at rest by encrypting entire disk volumes, with TPM-based key storage as the common deployment model. The vulnerability is classified as CWE-693 (Protection Mechanism Failure), indicating the encryption protection boundary itself fails under specific physical access conditions rather than a cryptographic weakness in the underlying algorithm. The CVSS vector AV:P confirms a hands-on physical attack is required. The Changed Scope component (S:C) in the vector is significant: it indicates the exploit crosses a defined security boundary - most likely from the pre-boot hardware or firmware layer into the encrypted operating system or data partition - without requiring any credentials (PR:N). The Confidentiality:High and Integrity:None/Availability:None profile is consistent with a read-only bypass of encrypted storage, meaning attackers can extract data but cannot silently modify it through this vector alone.

RemediationAI

Apply the vendor-released patches from Microsoft targeting each affected Windows build. Specific patched versions confirmed from EUVD-2026-35695 include: Windows 10 22H2 to build 10.0.19045.7417, Windows 11 24H2 to build 10.0.26100.8655, Windows 11 26H1 to build 10.0.28000.2269, Windows Server 2025 to build 10.0.26100.32995, Windows Server 2022 to build 10.0.20348.5256, and Windows Server 2019 to build 10.0.17763.8880, among others. Consult the full advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45655 for the complete patched build list. As compensating controls prior to patching, enforce BitLocker with TPM+PIN or TPM+USB key multi-factor pre-boot authentication rather than TPM-only mode, since requiring a PIN or external key at boot reduces the attack surface for physical bypass - note this adds operational overhead for remote reboots and headless servers. Implement strict physical access controls including device cable locks, locked storage for unattended hardware, and asset tracking for mobile devices; these do not eliminate the vulnerability but reduce attacker opportunity. For high-sensitivity environments, consider BitLocker Network Unlock as an additional layer, though this requires reliable network connectivity at boot.

Share

EUVD-2026-35695 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy