Zero-day exploit completely defeats default Windows 11 BitLocker protections

A zero-day exploit named YellowKey allows individuals with physical access to a Windows 11 system to bypass default BitLocker protections and gain full access to encrypted drives within seconds, according to reporting from Ars Technica.

Published in May 2026 by a researcher known as Nightmare-Eclipse, the exploit reliably bypasses default deployments of BitLocker. This full-volume encryption protection is used by Microsoft to ensure disk contents remain inaccessible to anyone who does not possess the decryption key.

The decryption key is stored in a trusted platform module (TPM), which is a secured piece of hardware. Because of the security it provides, BitLocker is a mandatory protection for many organizations, including those that maintain contracts with governments.

Technical Mechanism of YellowKey

The core of the YellowKey exploit involves the use of a custom-made FsTx folder. This directory is associated with the file fstx.dll, though online documentation regarding the folder is limited.

The exploit appears to leverage a feature Microsoft calls transactional NTFS. This system is designed to allow developers to achieve transactional atomicity for file operations, which can be applied to a single file, multiple files, or operations that span multiple sources.

By utilizing this transactional capability, the exploit enables one disk volume to manipulate another, effectively defeating the default encryption protections provided by the TPM and BitLocker.