A Rough Patch for Patches
Between a BitLocker bypass, an actively exploited Chrome flaw, and Microsoft's messy disclosure process, the usual 'just patch it' advice is not enough anymore. Here is what actually matters.
Two things happened in the same week that should get your attention if you are responsible for keeping systems safe. Microsoft patched a BitLocker bypass called YellowKey (CVE-2026-45585) that lets someone with physical access to a machine wipe out the encryption protection most people assume is solid. And Google emergency-patched Chrome (CVE-2026-11645) after confirming attackers were already exploiting it in the wild — a V8 engine bug with a CVSS of 8.8 that can run arbitrary code from a web page.
Neither of these is theoretical. One requires physical access, which limits the blast radius. The other requires visiting a web page, which does not.
The BitLocker Problem
YellowKey abuses the Windows Recovery Environment (WinRE). A crafted file on a USB drive or the EFI partition, a reboot into recovery, and the encryption that was supposed to protect data at rest gets sidestepped. The vulnerability affects Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025. Microsoft shipped the fix in the June 9 Patch Tuesday after releasing mitigation guidance on May 20 — move to TPM+PIN instead of TPM-only if you had not already.
The disclosure process around this one was messy. The researcher, Nightmare Eclipse, said they went public as a protest against how Microsoft handles reports. Microsoft’s MSRC posted a blog calling the releases “never justifiable” and initially suggested legal action before walking that back after backlash. There were also complaints from other researchers about Microsoft silently fixing bugs without credit and rejecting severity assessments on Azure issues without issuing CVEs. The pattern is not great: process opacity, delayed or disputed severity calls, and language that treats good-faith disclosure like misconduct.
The Chrome Problem Is Worse
CVE-2026-11645 is the one that should worry you more. It is an out-of-bounds read and write in V8, Chrome’s JavaScript engine. An attacker can get arbitrary code execution inside the browser sandbox from a crafted web page. Google confirmed active exploitation. CISA added it to the Known Exploited Vulnerabilities catalog on June 9 with a remediation deadline of June 23.
The patch landed June 8 as an emergency update to Chrome 149.0.7827.102/.103. If your browser auto-updates, you are probably fine. But “probably” is doing a lot of work in that sentence, and that is kind of the point.
Why This Matters More Now
Here is the bigger picture. These vulnerabilities are not unusual anymore — they are the new normal. What makes them different in 2026 is velocity. AI tools can analyze disclosed vulnerabilities, write exploits, and scale attacks faster than most organizations can inventory what they own, let alone patch it.
If you cannot answer the question “which of my systems are vulnerable to this specific CVE right now” within hours of a disclosure, you are behind. Not because you are bad at your job, but because the speed gap between disclosure and exploitation has collapsed. You need three things: accurate inventory, automated patch visibility, and a plan that assumes the next zero-day drops tomorrow morning. That plan does not need to be complicated. It needs to exist.
Sources: BleepingComputer, The Hacker News, Google Chrome Releases, CISA KEV Catalog, Microsoft MSRC Blog, Krebs on Security.
