Microsoft Fixes BitLocker Zero-Day That Exposes Encrypted Drives to Physical Attacks
Microsoft has patched a publicly disclosed BitLocker vulnerability that can allow an unauthorized attacker with physical access to bypass disk-encryption protections and access encrypted data on an affected Windows device.
Tracked as CVE-2026-50661, the flaw affects supported Windows 10, Windows 11, and Windows Server releases. Microsoft fixed it through the July 14, 2026 Windows security updates.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The official Microsoft security advisory rates the vulnerability as Important and gives it a CVSS 3.1 score of 6.1. Microsoft knew of its public disclosure but had not detected exploitation in real-world attacks.
What Is CVE-2026-50661?
CVE-2026-50661 results from a protection mechanism failure in Windows BitLocker. BitLocker normally encrypts a drive so that someone who steals or removes it cannot read its contents without the required authentication material.
An attacker can exploit this vulnerability to bypass the BitLocker Device Encryption feature on the system storage device. A successful attack can expose encrypted information and allow unauthorized modification of protected data.
The vulnerability does not provide a remote attack path. An attacker needs hands-on access to the computer or storage hardware.
| CVE detail | Information |
|---|---|
| CVE | CVE-2026-50661 |
| Affected feature | Windows BitLocker |
| Vulnerability type | Security feature bypass |
| Weakness | CWE-693, Protection Mechanism Failure |
| Severity | Important |
| CVSS score | 6.1 |
| Attack vector | Physical |
| Privileges required | None |
| User interaction | None |
| Active exploitation | Not observed |
Physical Access Is Required
The vulnerability uses a physical attack vector. A threat actor cannot exploit it over the internet simply by sending network traffic, an email, or a malicious document.
The scenario becomes relevant when someone steals a laptop, obtains decommissioned hardware, accesses an unattended workstation, or reaches a server during an on-site intrusion.
The National Vulnerability Database entry records low attack complexity, no required privileges, and no user interaction. The attacker still needs direct physical access to the target.
- The attack cannot be launched remotely.
- The attacker does not need an existing Windows account.
- No administrator privileges are required before exploitation.
- The victim does not need to open a file or approve a prompt.
- The attacker must physically interact with the affected device or storage.
Successful Exploitation Can Expose Encrypted Data
Microsoft’s CVSS assessment gives the vulnerability High impact ratings for confidentiality and integrity. This means exploitation can expose protected information and potentially allow changes to data.
The availability impact is rated None. The primary concern involves defeating data-at-rest protection rather than crashing Windows or making the device unavailable.
A CrowdStrike analysis of the July updates says a successful attacker can bypass BitLocker Device Encryption and gain access to encrypted information on the system storage device.
| Security property | CVSS impact | Meaning |
|---|---|---|
| Confidentiality | High | Protected information may become accessible |
| Integrity | High | An attacker may modify protected data |
| Availability | None | The flaw does not directly disrupt access to the system |
Microsoft Has Not Published Technical Exploit Details
Microsoft has not described the exact boot, recovery, or key-management weakness involved. The limited disclosure reduces the information available to attackers while organizations install the security updates.
Reports have suggested that CVE-2026-50661 may address a publicly discussed BitLocker technique called GreatXML. Microsoft has not confirmed this connection, so it should not be presented as established attribution.
The vulnerability also remains separate from earlier BitLocker issues such as YellowKey. Similar physical-access requirements do not prove that the vulnerabilities use the same technique or affect the same security configuration.
Which Windows Versions Are Affected?
Microsoft lists four Windows 10 branches, three Windows 11 releases, and several Windows Server versions. Server Core installations of Windows Server 2016, 2019, and 2025 also appear in the affected-product data.
Windows 11 version 23H2 does not appear in Microsoft’s CVE affected-product list. Administrators should use the Security Update Guide for CVE-specific exposure rather than assuming every Windows release needs the same fix.
The July updates raise affected systems to the following protected builds:
| Windows version | July update | Protected build |
|---|---|---|
| Windows 10 version 1607 | KB5099535 | 14393.9339 |
| Windows Server 2016 | KB5099535 | 14393.9339 |
| Windows 10 version 1809 | KB5099538 | 17763.9020 |
| Windows Server 2019 | KB5099538 | 17763.9020 |
| Windows 10 version 21H2 | KB5099539 | 19044.7548 |
| Windows 10 version 22H2 | KB5099539 | 19045.7548 |
| Windows 11 version 24H2 | KB5101650 | 26100.8875 |
| Windows 11 version 25H2 | KB5101650 | 26200.8875 |
| Windows 11 version 26H1 | KB5101649 | 28000.2525 |
| Windows Server 2022 | KB5099540 | 20348.5386 |
| Windows Server 2025 | KB5099536 | 26100.33158 |
Public Disclosure Made It a Zero-Day
Security researchers commonly use the term zero-day when vulnerability information becomes public before customers have an available fix. CVE-2026-50661 met that condition when Microsoft released the July updates.
Microsoft assessed exploitation as Less Likely. The physical-access requirement reduces the number of practical attack scenarios compared with a remotely exploitable vulnerability.
However, lower exploitability does not mean low impact for every organization. Businesses that manage laptops, portable workstations, branch-office servers, or equipment in shared facilities should treat physical theft and unauthorized access as realistic risks.
No Active Exploitation Has Been Reported
Microsoft did not report attacks exploiting CVE-2026-50661 when it published the July security update. CISA’s vulnerability assessment also recorded no known exploitation at that time.
The flaw does not appear in CISA’s Known Exploited Vulnerabilities catalog. This distinguishes it from other July 2026 zero-days that Microsoft confirmed attackers were already using.
The July Patch Tuesday review similarly describes CVE-2026-50661 as publicly disclosed but not exploited in the wild.
How to Protect BitLocker Devices
Organizations should install the July 2026 cumulative update or a later security update on every affected Windows device. Updating the operating system is the direct fix for CVE-2026-50661.
After installation, administrators should confirm the new OS build and verify that BitLocker remains enabled on the operating system drive. They should also check that recovery keys remain available through an approved and protected recovery process.
Additional controls can reduce the wider risk from stolen or physically accessed devices. However, Microsoft has not stated that any single configuration change fully mitigates this specific vulnerability on an unpatched system.
- Install the July 2026 Windows security update or a later cumulative update.
- Verify the operating system build after the required restart.
- Confirm that BitLocker protection remains active.
- Store recovery keys in an approved and access-controlled location.
- Require pre-boot authentication where the organization’s risk model supports it.
- Keep Secure Boot and TPM-backed protections enabled.
- Restrict access to firmware settings and external boot options.
- Track laptops and other portable devices through asset-management systems.
- Investigate lost equipment promptly and revoke associated account sessions.
Administrators Should Review Unsupported Windows Systems
Several affected Windows 10 releases receive updates only through specific servicing or Extended Security Updates channels. An affected computer that no longer qualifies for security updates may remain exposed.
Administrators should identify unsupported Windows installations and either enroll eligible devices in the appropriate update program or migrate them to a supported release.
The CVE-2026-50661 vulnerability record provides the affected build ranges. The Microsoft Security Update Guide provides platform-specific downloads and servicing information.
FAQ
CVE-2026-50661 is a Windows BitLocker security feature bypass. An unauthorized attacker with physical access may exploit it to access encrypted data on an affected system storage device.
No. Microsoft assigns the vulnerability a physical attack vector. The attacker needs hands-on access to the affected computer or its storage hardware.
Microsoft had not observed active exploitation when it released the July 2026 security updates. The company classified exploitation as Less Likely.
Microsoft fixed CVE-2026-50661 in the July 14, 2026 Windows cumulative updates. The required KB and protected build depend on the installed Windows version.
Windows 11 version 23H2 does not appear in Microsoft’s affected-product list for CVE-2026-50661. Windows 11 versions 24H2, 25H2, and 26H1 are listed.
Microsoft has not published enough technical information to confirm that one BitLocker configuration fully blocks the flaw. Organizations should install the security update instead of relying only on configuration changes.
Some security reports have suggested a connection, but Microsoft has not confirmed that CVE-2026-50661 fixes GreatXML.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
User forum
0 messages