Tech Logic / Digital Ecosystem

Researcher Publicly Discloses Windows BitLocker Zero-Day Bypass YellowKey and Simultaneously Reveals GreenPlasma Privilege-Escalation Vulnerability

In May 2026, multiple outlets reported on two Windows zero-days publicly disclosed by researchers: YellowKey, described as a BitLocker bypass flaw, and GreenPlasma, which is related to Windows privilege escalation. Three sources consistently confirmed these names and their connection to the Microsoft Windows ecosystem, but they differed or could not fully agree on GreenPlasma’s technical nature, the form of the disclosed exploit material, and whether it had already been used in attacks.

TSO brief

  • In May 2026, multiple outlets reported on two Windows zero-days publicly disclosed by researchers: YellowKey, described as a BitLocker bypass flaw, and GreenPlasma, which is related to Windows privilege escalation. Three sources consistently confirmed these names and their connection to the Microsoft Windows ecosystem, but they differed or could not fully agree on GreenPlasma’s technical nature, the form of the disclosed exploit material, and whether it had already been used in attacks.
  • Tech Logic · Digital Ecosystem
  • May 14, 2026
TSO noteEach article is checked against independent reporting. The original source links are listed with the analysis so readers can inspect the evidence directly.

Source transparency

Original reporting sources

  1. USB stick opens Windows BitLocker drives in new zero-day - iTnewswww.itnews.com.au
  2. Mystery Microsoft bug leaker keeps the zero-days coming - The Registerwww.theregister.com
  3. Microsoft Windows Alert—Angry Hacker Drops 2 New Zero-Day Exploits - Yahoo News Singaporesg.news.yahoo.com

Top-line three-source view and TSO verification conclusion:

  • Source 1 (iTnews) confirms that the researcher named the vulnerability YellowKey; that it can affect Windows 11, Windows Server 2022, and 2025; and that physical access to the computer is required. Source 1 also says the researcher simultaneously disclosed partial details of a Windows 11 and Windows Server 2022/2025 privilege-escalation vulnerability called GreenPlasma.

  • Source 2 (The Register) confirms that YellowKey can be mitigated by setting a BitLocker PIN and a BIOS password lock; it also says the researcher released partial exploit code for GreenPlasma, rather than a full PoC.

  • Source 3 (Yahoo News Singapore) confirms that the two zero-days are named YellowKey and GreenPlasma; that YellowKey is a Windows BitLocker encryption bypass; that GreenPlasma is related to arbitrary section creation privilege escalation in Windows CTFMON; and that both were reportedly used in active attacks within 24 hours after proof-of-exploit code was made public.

TSO verification conclusion:

  • T (Topline, shared core fact): All three sources agree that the researcher publicly disclosed two Microsoft Windows-related zero-day/vulnerability revelations, named YellowKey and GreenPlasma.

  • S (Support, cross-supported details): YellowKey is related to a BitLocker bypass; GreenPlasma is related to privilege escalation; the requirement for physical access for YellowKey is explicitly mentioned only by Source 1.

  • O (Outstanding, inconsistent/needs verification): The technical description of GreenPlasma is not identical across the three sources; the form of the public disclosure is described variously as “partial details” or “partial exploit code”; and the claim that it was already used in attacks is mentioned only by Source 3 and cannot be confirmed by the other sources.

Shared confirmed facts:

  1. The researcher publicly disclosed two vulnerabilities/zero-days named YellowKey and GreenPlasma.

  2. YellowKey is related to Windows BitLocker.

  3. GreenPlasma is related to Windows privilege escalation.

  4. The reports were published in May 2026 and centered on Microsoft Windows zero-day disclosures.

Main points of disagreement or difference:

  1. The specific technical description of GreenPlasma differs:

    • Source 1: describes it as “partial details” of a privilege-escalation vulnerability affecting Windows 11 and Server 2022/2025.

    • Source 3: describes it as “Windows CTFMON arbitrary section creation elevation of privileges vulnerability.”

    • Source 2: only says that partial exploit code for GreenPlasma was disclosed.
      These descriptions cannot be fully unified using the provided sources.

  2. The form of the disclosed material differs:

    • Source 1: says “partial details.”

    • Source 2: says “partial exploit code, not a full PoC.”

    • Source 3: refers to “public proof-of-exploit code.”
      Whether this amounted to a complete PoC cannot be uniformly confirmed.

  3. Whether the vulnerabilities were already used in attacks:

    • Only Source 3 explicitly says the two were used in active attack campaigns within 24 hours of disclosure.

    • The other two sources do not mention this, so it cannot be confirmed from the provided sources.

  4. Mitigation measures:

    • Only Source 2 mentions that YellowKey may be mitigated by a BitLocker PIN and a BIOS password lock.

    • The other sources do not mention this.

Background and analysis:
From the three-source picture, this is a public disclosure event centered on Windows security mechanisms. The main focus is YellowKey’s ability to bypass the BitLocker protection chain and the privilege-escalation risk associated with GreenPlasma. Source 1 emphasizes YellowKey’s impact scope across Windows 11 and Windows Server versions and notes the need for physical access. Source 2 brings the discussion back to defense practices by noting that a BitLocker PIN and BIOS password lock may help mitigate the issue. Source 3 escalates the risk narrative by saying the vulnerabilities were already used in active attacks, but that claim is supported by only one source and should therefore remain unconfirmed.

Based on cross-source verification, the safest conclusion is that the public disclosure of YellowKey and GreenPlasma has been confirmed by multiple outlets; however, the technical details of GreenPlasma, the maturity of the disclosed exploit material, and real-world attack usage still show inconsistencies or single-source support. In external reporting, it is best to clearly distinguish between “confirmed facts” and “claims from a single source” so that unverified information is not presented as definitive.

Three-source summary:

  • Source 1 (iTnews): emphasizes YellowKey’s affected targets, the physical-access requirement, and the simultaneous disclosure of GreenPlasma.

  • Source 2 (The Register): emphasizes mitigation for YellowKey and says GreenPlasma was only partial exploit code.

  • Source 3 (Yahoo News Singapore): emphasizes that both zero-days had entered active attack scenarios and provides a more specific technical description of GreenPlasma.

Conclusion:
Taken together, the provided sources confirm that the researcher publicly disclosed two Windows-related vulnerabilities, YellowKey and GreenPlasma. However, beyond the names, basic associations, and some mitigation information, the precise technical details of GreenPlasma, the nature of the disclosed material, and whether the vulnerabilities have been widely exploited should still be described as unconfirmed or as statements not corroborated by the other sources.

Information sources:

Tech Logic