CVE-2026-45658: Windows BitLocker Access Control Bypass Vulnerability
A flaw in Windows BitLocker's access controls allows someone with local system access to circumvent the encryption security feature. An authorized user—such as an administrator or service account—can exploit this weakness to bypass BitLocker protections without requiring additional authentication or user interaction. This is a local-only attack and does not grant network-based access, but it significantly weakens the confidentiality and integrity guarantees that BitLocker is meant to provide.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-284
- Affected products
- 24 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-07-09
NVD description (verbatim)
Improper access control in Windows BitLocker allows an authorized attacker to bypass a security feature locally.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-45658 is an improper access control vulnerability (CWE-284) in Windows BitLocker affecting Windows 10 (versions 1607, 1809, 21H2, 22H2), Windows 11 (versions 23H2, 24H2, 25H2, 26H1), and Windows Server 2012 through 2025. The vulnerability allows an authenticated local attacker with user-level or administrative privileges to bypass BitLocker security controls without elevated permissions or user interaction. The attack surface is local only; network exploitation is not possible. The CVSS 3.1 score of 7.8 (HIGH) reflects high impact to confidentiality, integrity, and availability through local attack vectors with low complexity and no special conditions required.
Business impact
Organizations relying on BitLocker for data-at-rest protection face a material degradation of disk encryption effectiveness if an insider or compromised local account exploits this flaw. For enterprises managing sensitive data on laptops, desktops, and servers, this vulnerability creates a path for unauthorized decryption or modification of protected volumes. Regulated industries (finance, healthcare, government) storing classified or personally identifiable information may face compliance violations if this exposure is not remediated promptly. The risk is highest in environments where local access controls are not strictly enforced or where multiple users share administrative privileges.
Affected systems
The vulnerability spans a broad range of Windows editions: Windows 10 (build 1607 through 22H2), Windows 11 (build 23H2 through 26H1), Windows Server 2012, 2016, 2019, 2022, and 2025. Organizations should assume that any BitLocker-protected system running these versions is vulnerable until patches are applied. Windows 7 and earlier versions do not appear on the affected list. Verify exact build numbers in your estate to identify specific machines requiring updates.
Exploitability
Exploitation requires local system access and valid user credentials; remote exploitation is not feasible. An authenticated user with standard or administrative privileges can trigger the bypass without special tools or public exploits. The low complexity and lack of required user interaction (no social engineering or prompts) mean that once an attacker gains local access—through credential compromise, supply-chain insertion, or insider threat—BitLocker provides minimal additional protection. This is not currently tracked as actively exploited in the wild (KEV status is false as of publication), but the straightforward attack path makes it an attractive target for threat actors with local persistence.
Remediation
Apply security updates from Microsoft covering CVE-2026-45658 for all affected Windows versions and editions. Patches are available through Windows Update and WSUS. Organizations should prioritize systems holding sensitive data and those with high user turnover or shared administrative access. Concurrently, enforce strong local access controls: require strong passwords, enable Windows Defender credential guard where applicable, restrict administrative privilege escalation, and monitor for unusual BitLocker key recovery attempts. Verify BitLocker recovery keys are stored securely and access-logged.
Patch guidance
Obtain and deploy Microsoft's security update for this CVE through your standard patching mechanism (Windows Update, WSUS, or manual download from Microsoft Update Catalog). Specific patch version numbers should be verified against the official Microsoft advisory and your organization's compatibility matrix before deployment. Test patches in a non-production environment first, particularly on servers and mission-critical machines, to ensure no compatibility issues with line-of-business applications or existing BitLocker configurations. After patching, confirm BitLocker functionality remains intact and recovery keys remain accessible.
Detection guidance
Monitor Event Viewer logs for unusual BitLocker activity, including failed or successful unlock attempts, key recovery operations, and suspend/resume events from unexpected accounts. Use Windows Defender for Endpoint or third-party EDR solutions to detect suspicious access to BitLocker management interfaces or cryptographic APIs. Deploy File Integrity Monitoring (FIM) on system files related to BitLocker to catch unauthorized modifications. Log and alert on privilege escalation attempts preceding BitLocker access. Conduct periodic BitLocker status audits to identify unexpected volume unlocks or key changes.
Why prioritize this
This vulnerability merits immediate attention because it directly compromises a foundational security control (full-disk encryption) that many organizations rely upon for compliance and data protection. The broad affected footprint—spanning 15+ Windows versions—and the low attack complexity create significant organizational risk. While not yet widely exploited, the straightforward local attack path and high impact mean that once patches are available, remediation should be prioritized alongside other critical access-control flaws. Organizations handling regulated data should treat this as a high-priority patch cycle.
Risk score, explained
The CVSS 3.1 score of 7.8 (HIGH) reflects: local attack vector (AV:L) limiting to authenticated users with system access; low attack complexity (AC:L) requiring only standard privileges and no special conditions; low privileges required (PR:L) meaning standard users can exploit; no user interaction required (UI:N); impact limited to the affected system (S:U); but high impact across confidentiality (C:H—encrypted data becomes readable), integrity (I:H—encrypted data can be modified), and availability (A:H—BitLocker service can be compromised). The score appropriately captures the severity within a local-access threat model, though business impact depends heavily on how BitLocker is deployed and what data it protects in your environment.
Frequently asked questions
Can an attacker exploit this vulnerability remotely over the network?
No. The vulnerability requires local system access and valid user credentials. Remote exploitation is not possible. Risk is limited to insider threats, compromised local accounts, or physical access scenarios where an attacker has already obtained login credentials.
Will my BitLocker-encrypted data be immediately compromised if I don't patch?
Not automatically. The vulnerability allows an authenticated local user to bypass BitLocker controls, but exploitation still requires someone with valid credentials and local access to attempt it. Enforce strong access controls, limit administrative privileges, and monitor for suspicious activity while you plan patching. Additionally, ensure BitLocker recovery keys are stored securely and access to them is logged.
Which Windows versions are affected, and which are safe?
Affected versions include Windows 10 (1607–22H2), Windows 11 (23H2–26H1), and Windows Server 2012–2025. If you are running Windows 7, Windows 8.x, or do not use BitLocker, your direct risk is lower. However, verify your exact build number against Microsoft's advisory because within-version updates may change status. Consult your vendor documentation for the most current patch status.
What should I do while waiting for patches to deploy?
Implement compensating controls: enforce strong local access policies, disable unnecessary local accounts, enable credential guard and UAC enforcement, restrict administrative privileges, and monitor BitLocker operations through event logging and EDR. Prioritize patching systems that store the most sensitive data. Once patches are available, test in a pre-production environment and then systematically deploy across your estate.
This analysis is provided for informational purposes and reflects information available as of the publication date. CVSS scores, patch status, and vendor advisories are subject to change. Organizations should independently verify all patch versions, compatibility matrices, and deployment procedures against official Microsoft documentation before applying updates. SEC.co does not warrant the accuracy or completeness of this advisory and disclaims liability for damages resulting from reliance on this analysis. Consult your security team and vendor advisories for definitive remediation guidance specific to your environment. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-11179HIGHChrome ORB Site Isolation Bypass (CVSS 8.8)
- CVE-2026-41092HIGHMicrosoft Kinect Local Privilege Escalation Vulnerability
- CVE-2026-42829HIGHWindows 11 Administrator Protection Bypass (CVSS 7.8 HIGH)
- CVE-2026-45649HIGHOffice for Android Access Control Flaw Enables Document Spoofing
- CVE-2026-45654HIGHWindows Secure Boot Access Control Bypass – CVSS 7.9 HIGH
- CVE-2026-11017MEDIUMChrome Link Preview Navigation Bypass (CVSS 6.5)
- CVE-2026-11026MEDIUMChrome Extension Navigation Bypass Vulnerability
- CVE-2026-11078MEDIUMChrome FileSystem Same-Origin Policy Bypass – MEDIUM Severity