CVE-2026-41091 in Microsoft Windows BitLocker: Confirmed Exploitation (KEV)

📅 May 21, 2026 🔴 Exploit Risk: 0.200 📊 Intelligence Score: 51/100 📰 6 sources synthesized

TL;DR — Read this first

A security feature bypass vulnerability exists in the Microsoft Windows BitLocker feature.
CONFIRMED exploitation in the wild. CISA added CVE-2026-41091 to its Known Exploited Vulnerabilities (KEV) catalog on 2026-05-20.
Immediate action required. Microsoft has released mitigation guidance. A full patch is not yet available.

Intelligence Metadata

First Reported Bymsrc.microsoft.com

Outbreak Velocity1625 minutes spread to 5 unique domains

Consensus6 articles across 3 unique domains

CVSS ScoreNot available

EPSS ScoreNot available

CISA KEV StatusConfirmed

Exploit Risk Score0.2000

Race LabelZERO-DAY RACE

Technical Analysis

CVE-2026-41091 is a security feature bypass vulnerability in Microsoft Windows BitLocker. While specific technical details for this CVE are not public, intelligence suggests it is related to CVE-2026-45585, which is also a BitLocker bypass vulnerability reportedly exploited by a threat actor dubbed 'YellowKey'. The attack vector for this class of vulnerability typically requires an attacker to have physical access to the target device. The exploit likely targets a flaw in the boot process or recovery mechanism, allowing the attacker to circumvent the BitLocker encryption and gain access to the protected data on the drive. The issuance of mitigation guidance instead of a direct patch indicates a complex vulnerability that may require manual configuration changes to secure affected systems. The CONFIRMED exploitation status via the CISA KEV catalog validates the threat as active and not theoretical.

Affected Systems

Vendor: Microsoft

Affected Versions:

Windows (BitLocker feature)

Exposure: Requires physical access to the target device.

Blast Radius: High for portable enterprise assets such as laptops where physical access is a credible threat. Low for systems in physically secure locations like data centers.

Intelligence Context

The primary driver for immediate action is the CONFIRMED exploitation status of CVE-2026-41091, evidenced by its addition to the CISA KEV catalog. This overrides the lack of a public CVSS or EPSS score. The 'ZERO-DAY RACE' label accurately reflects the situation: an active threat is being exploited while defenders must rely on vendor-supplied mitigations in the absence of a formal patch. Reporting from BleepingComputer and TheHackerNews on the related 'YellowKey' exploit (CVE-2026-45585) provides crucial context, indicating this is part of a targeted campaign. The low vendor risk score of 2.0 likely reflects the physical access prerequisite, but this should not be misinterpreted as low risk for organizations with a mobile workforce or high-value portable assets.

Remediation & Defense

Apply mitigations immediately. Prioritize all portable endpoints (laptops) and systems used by executives or privileged users. The physical access requirement makes these assets the primary targets.

Patch Status: Not available

Patch Version: Not applicable. Mitigation guidance has been issued.

Workarounds:

Review and apply the official mitigation guidance from Microsoft's Security Response Center (MSRC) immediately.

Detection Hints:

Monitor for anomalous BitLocker recovery key requests or status changes.
Audit physical access logs for sensitive devices.
Investigate unexpected system reboots on endpoints with BitLocker enabled.

Source Timeline

msrc.microsoft.com — First reporter
bleepingcomputer.com — Corroborating report
thehackernews.com — Corroborating report
cisa.gov/kev — Official exploitation confirmation

CVE-2026-41091 Microsoft Windows BitLocker Security Feature Bypass KEV Zero-Day