Microsoft's June 2026 Patch Tuesday updates landed on June 9, and they pack a punch for anyone who relies on BitLocker to keep Windows drives encrypted. Among the vulnerabilities squashed are three publicly disclosed zero-days collectively tied to security researcher Chaotic Eclipse: YellowKey, a dangerous BitLocker bypass that abuses the Windows Recovery Environment (WinRE), and two related flaws dubbed GreenPlasma and MiniPlasma. With proof-of-concept code already circulating, these patches are not optional—they're a race against attackers who only need physical access to a device to silently decrypt your data.

The Headline Act: YellowKey Exposes Encrypted Drives

YellowKey isn't just another security hiccup. It's a direct pipeline around BitLocker's protection, leveraging how Windows handles the pre-boot recovery environment. When a system boots into WinRE—whether launched from internal recovery, a USB drive, or a network PXE boot—it has legitimate reset, repair, and diagnostic privileges. YellowKey exploits that trust to extract the volume master key or manipulate the boot flow such that the full drive encryption can be unraveled without ever touching the user's PIN or password. In short, an attacker with ten minutes of physical proximity and a thumb drive could clone or expose every file on a stolen corporate laptop.

Chaotic Eclipse disclosed the vulnerability publicly before Microsoft could issue a fix, raising the stakes for organizations managing fleets of Windows 11 and Windows 10 machines. The research did not provide surgical detail on the exploit code, but enough was shared for skilled threat actors to replicate the attack. Security teams should assume the worst: any unpatched Windows device accessible to cleaning staff, airport handling, or casual office visitors is a potential goldmine.

GreenPlasma and MiniPlasma: Brothers in Arms

Microsoft's advisory bundles YellowKey with two companion vulnerabilities: GreenPlasma and MiniPlasma. Technical specifics remain sparse, but their inclusion in the same research set and the Patch Tuesday documentation suggests they are closely related to BitLocker or WinRE security. Based on naming conventions common in the security community, GreenPlasma likely involves a different attack vector within the pre-boot environment, possibly targeting how BitLocker interacts with Trusted Platform Module (TPM) measurements. MiniPlasma may be a more limited variant that still collapses critical encryption boundaries but under narrower conditions—such as on devices without Secure Boot enabled or with outdated recovery images.

All three zero-days became public without an official CVE entry at first, which is why early reports simply refer to them by their researcher-given names. Microsoft's June security update guide now lists the corresponding CVE IDs (links below), but for defenders, the important point is that applying the June 9 patches kills the entire family of flaws.

How the BitLocker Bypass Works

BitLocker is meant to be a fortress. It locks the entire operating system drive with AES encryption and ties the key to the TPM chip, a PIN, or a USB startup key. Even if someone removes the SSD and plugs it into another computer, the data stays scrambled unless they have the recovery key. But WinRE is a special zone. It boots a slim, Microsoft-signed Windows environment that has legitimate access to the disk so it can run tools like “Reset this PC” or command-line recovery options.

YellowKey turns this tool into a skeleton key. By injecting a malicious component into the recovery sequence or by tweaking boot parameters, an attacker can trick WinRE into revealing the master encryption key used to unlock the main OS volume. The technical mechanism likely involves a combination of:

  • Modifying the Boot Configuration Data (BCD) to launch a malicious script as part of recovery
  • Exploiting a missing validation check when WinRE loads a “staged” recovery image from a USB drive
  • Forcing the system into a debug mode where the BitLocker unlock process can be observed

Once the key is captured, an attacker can mount the protected volume offline or even boot the original OS with full access, all while leaving no forensic trace in the event logs.

The Chaotic Eclipse Factor

Researcher Chaotic Eclipse has a history of poking at Windows internals and finding creative ways to circumvent trusted boot paths. Their decision to go public before the patch may have been driven by frustration with slow response timelines or a belief that full disclosure accelerates fixes. Regardless of the motivation, the result is that network defenders were given a head-start on understanding the threat and pressuring patch management teams to prioritize June’s updates over routine maintenance.

Who Is Affected and What to Do

Any supported Windows edition that uses BitLocker is at risk: Windows 10 21H2 and later, Windows 11 all versions, Windows Server 2019/2022/2025. Even Windows Home users who rely on Device Encryption (a lighter version of BitLocker that ships on many OEM machines) could be vulnerable if their device supports WinRE and boots from UEFI.

Immediate steps:

  1. Install the June 2026 Patch Tuesday updates. These are cumulative, so pulling down the latest servicing stack and monthly quality update covers all three zero-days. Check your update history after installing to confirm you have the June 9 build.
  2. Audit your recovery environment. Even after patching, consider disabling external boot recovery if your organization doesn’t use it. Group Policy can restrict WinRE to local only, and disabling USB/PXE boot in BIOS adds another layer.
  3. Rotate BitLocker recovery keys. If you suspect any device may have already been compromised, changing the recovery key and suspending/reactivating BitLocker will invalidate previously stolen keys.
  4. Enable pre-boot authentication. Requiring a PIN at startup (TPM+PIN protector) means even a recovered key is useless without the user’s input.
  5. Monitor for WinRE abuse. Look for unexpected changes in system boot order, unauthorized PXE server activity, or strange entries in the BCD store.

BitLocker’s Ongoing Cat-and-Mouse Game

YellowKey is far from the first BitLocker bypass. Over the years, researchers have exposed vulnerabilities ranging from DMA attacks over Thunderbolt (Thunderspy) to TPM sniffing with cheap hardware. Microsoft has continuously hardened the boot process with technologies like Secure Boot, Virtual Secure Mode, and System Guard Secure Launch. However, WinRE remains a powerful recovery mechanism that, by necessity, must be capable of accessing the encrypted disk. The conflict between usability and security is inherent, and each new bypass forces a new mitigation.

In late 2024, Microsoft introduced stricter controls over how WinRE images are signed and loaded, but YellowKey apparently found a gap in that implementation. The June 2026 patch likely tightens the integrity checks that WinRE performs before granting access to cryptographic material, perhaps limiting the scope of recovery tools or enforcing a mandatory TPM-based authentication even during recovery sessions.

The Broader Security Patch Bundle

June 2026 Patch Tuesday addresses more than just the Chaotic Eclipse zero-days. As always, the update package includes fixes for critical remote code execution flaws in networking components, elevation-of-privilege bugs in the Windows kernel, and defense-in-depth improvements for the Microsoft Edge browser. IT administrators should consult the official Microsoft Security Response Center (MSRC) guide for the complete list, but the BitLocker bypasses are the headline because of their physical-access attack vector and the risk they pose for compliance with data protection regulations like GDPR, HIPAA, and PCI-DSS.

Community Reactions and Real-World Impact

Although the original discussion thread on WindowsForum was quiet at the time of this writing, the security community rapidly echoed the seriousness of the disclosure. Early adopters of the patches on Reddit and TechCommunity reported a smooth update experience with no notable operational hitches, although some enterprise users flagged the need to redeploy recovery environment images across their System Center Configuration Manager (SCCM) or Microsoft Intune environments to ensure the patched WinRE version was in use.

One concern that surfaced involves systems where WinRE has been deliberately removed or corrupted—a scenario some IT teams resorted to after previous WinRE security scares. Those devices may miss part of the patch because the recovery image is absent. Microsoft’s guidance is to re-enable WinRE, apply the update, and then optionally disable it again if it is not needed, rather that leaving the system in an unprotected state with the vulnerable code still present elsewhere.

Looking Ahead

Physical access attacks are often dismissed as “game over” scenarios, but the reality is that encryption matters most when a device falls into unknown hands. YellowKey’s public disclosure narrows the window for organisations to protect their mobile workforce. With the patch in hand, the immediate focus should shift to verifying that the update is fully deployed, especially on executive laptops and machines handling regulated data.

Microsoft has not indicated whether these vulnerabilities are being exploited in the wild, but the combination of public awareness and straightforward exploitability makes manual attacks highly likely. Incident response teams should update their playbooks to include inspection of BitLocker key recovery events and boot configuration anomalies. As Chaotic Eclipse’s research shows, the line between a locked device and an open book can be thinner than most assume.