CVE-2026-45658: Windows BitLocker Security Feature Bypass Vulnerability
Protection mechanism failure in Windows BitLocker allows an unauthorized attacker to bypass a security feature with a physical attack.
Metrics
- CVSS v3.1
- 7.8
- Severity
- HIGH
- Fixed in
- 6.2.9200.26132
- Affected Products
- 20
HarborGuard Analysis
Synopsis
A protection mechanism failure in Windows BitLocker allows an attacker with physical access to the device to bypass drive encryption and access protected data. The vulnerability is exploited locally, requires only a low-privilege account, and no interaction from any other user. Successful exploitation gives an attacker full read, write, and control over data that BitLocker was protecting. Patched-image rebuilds at the listed fix versions are available on HarborGuard for affected environments.
HarborGuard Coverage
Detection for CVE-2026-45658 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of publication from upstream feeds, including custom-built Windows-based container images. Any image whose OS layer falls within the affected version ranges for Windows 10 or Windows 11 is flagged automatically.
AvailableHarborGuard scores this CVE at 7.8 HIGH using the published CVSS v3.1 vector, and per-environment compliance policy weighting is applied to adjust routing priority. Triage alerts are directed to the appropriate team inbox within each customer organization based on their configured policy rules.
AvailablePatched-image rebuilds at fix versions 6.2.9200.26132, 6.3.9600.23228, 10.0.14393.9234, 10.0.17763.8880, and 10.0.19044.7417 are available on HarborGuard for environments running an affected version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test, and opens a PR against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network path to the service is required.
- AuthenticationRequired
Any low-privilege local account is sufficient; no administrator or elevated credentials are needed.
- Victim interactionNot required
No action from any other user or victim is required to trigger the vulnerability.
- Attack complexityDetail
The exploit is reliable and condition-free; no race conditions or special environmental factors are required.
Blast Radius
- Reads data from BitLocker-encrypted volumes that would otherwise be inaccessible without the encryption key.
- Writes to or modifies files on the encrypted volume, tampering with data or injecting malicious content.
- Gains full control over the contents of the protected drive, including credentials, configuration files, and stored secrets.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-45658 activates as soon as the advisory enters upstream feeds, and any customer image layer in the affected Windows version range is flagged within minutes. For environments running an affected Windows version, patched rebuilds at the published fix versions are available. Customers with auto-remediation enabled receive a rebuilt image, a regression-test run, and a PR opened against affected workloads; the median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in those environments. Customers without auto-remediation can review flagged images in the HarborGuard dashboard and apply the appropriate fix version manually. Because this vulnerability requires physical access to the device, container workloads running on fully cloud-hosted infrastructure with no physical access exposure carry a lower practical risk, but patching is still recommended to keep OS layers current and compliant.
Fix available
- Microsoft / Windows 10 Version 1607< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows 10 Version 1809< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows 10 Version 21H2< 10.0.19044.7417 (from 10.0.19044.0)
- Microsoft / Windows 10 Version 22H2< 10.0.19045.7417 (from 10.0.19045.0)
- Microsoft / Windows 11 version 23H2< 10.0.22631.7219 (from 10.0.22631.0)
- Microsoft / Windows 11 Version 23H2< 10.0.22631.7219 (from 10.0.22631.0)
- Microsoft / Windows 11 Version 24H2< 10.0.26100.8655 (from 10.0.26100.0)
- Microsoft / Windows 11 Version 25H2< 10.0.26200.8655 (from 10.0.26200.0)
- Microsoft / Windows 11 version 26H1< 10.0.28000.2269 (from 10.0.28000.0)
- Microsoft / Windows Server 2012< 6.2.9200.26132 (from 6.2.9200.0)
- Microsoft / Windows Server 2012 (Server Core installation)< 6.2.9200.26132 (from 6.2.9200.0)
- Microsoft / Windows Server 2012 R2< 6.3.9600.23228 (from 6.3.9600.0)
- Microsoft / Windows Server 2012 R2 (Server Core installation)< 6.3.9600.23228 (from 6.3.9600.0)
- Microsoft / Windows Server 2016< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows Server 2016 (Server Core installation)< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows Server 2019< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows Server 2019 (Server Core installation)< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows Server 2022< 10.0.20348.5256 (from 10.0.20348.0)
- Microsoft / Windows Server 2025< 10.0.26100.32995 (from 10.0.26100.0)
- Microsoft / Windows Server 2025 (Server Core installation)< 10.0.26100.32995 (from 10.0.26100.0)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C