The cybersecurity landscape shifted significantly on May 14, 2026, as a researcher known as Chaotic Eclipse (or Nightmare-Eclipse) executed what many are calling a “coordinated strike” against Microsoft’s security architecture. The public disclosure of two unpatched zero-day vulnerabilities—codenamed YellowKey and GreenPlasma—was not merely a technical release; it was a calculated act of defiance. By timing the drop to coincide with the immediate aftermath of Microsoft’s May Patch Tuesday, the researcher ensured that the vulnerabilities would remain unmitigated for at least another month, leaving enterprise defenders in a state of high alert. The centerpiece of this disclosure, the YellowKey BitLocker bypass, has sparked an intense debate over the long-term stability of the Windows codebase and the existence of “unintentional backdoors” within legacy recovery environments.
The Architecture of a “Backdoor”: Understanding YellowKey
The YellowKey BitLocker bypass is being described by its discoverer as more than just a bug; it is being framed as a structural failure that functions effectively as a backdoor. The vulnerability does not target the encryption algorithms themselves—AES-XTS 128 or 256 remain robust—but rather the Windows Recovery Environment (WinRE). This environment, which is a specialized version of Windows PE (Preinstallation Environment), is designed to help users troubleshoot boot failures. However, Chaotic Eclipse discovered that the WinRE image in Windows 11 and Windows Server 2022/2025 contains a “buried” logic flaw that can be triggered before the operating system’s security protectors are fully engaged.
At its core, the exploit leverages Transactional NTFS (TxF), a legacy feature introduced in the Windows Vista era. TxF was intended to allow file operations to be performed as atomic transactions, ensuring that if a process was interrupted, the file system could roll back to a consistent state. While Microsoft has long discouraged the use of TxF, labeling it as complex and prone to deprecation, the code remains deeply embedded in the kernel and recovery binaries. YellowKey exploits a cross-volume transaction replay vulnerability where WinRE, during its initialization phase, can be forced to replay a malicious transaction log from an external source—such as a USB drive or the EFI system partition.
The “FsTx” Manipulation: Technical Mechanics
The technical depth of the YellowKey exploit lies in how it manipulates the $TxfLog and the associated “FsTx” directory structure. According to technical reports and independent verification by researchers like Will Dormann, the exploit chain follows a deceptively simple path:
- Preparation: An attacker creates a specially crafted directory named
FsTxwithin theSystem Volume Informationfolder on a USB drive. - The Payload: This directory contains transaction logs designed to target specific configuration files within the WinRE environment’s X: drive (the RAM disk where WinRE resides).
- The Trigger: By rebooting the target system into WinRE (typically via a
Shift + Restartor by interrupting the boot sequence) and holding the CTRL key, the attacker triggers a specialized recovery routine. - The Execution: During the initialization of the recovery agent, the system identifies the TxF logs on the attached media. The vulnerability allows these logs to “replay” operations against the WinRE environment. Specifically, the exploit is designed to delete or move the
winpeshl.inifile.
The winpeshl.ini file is the configuration script that tells WinRE which application to launch—usually the graphical recovery menu. When this file is missing or neutralized, the WinRE environment defaults to its fallback behavior: spawning a system-level command prompt (cmd.exe). Crucially, because this happens after the Trusted Platform Module (TPM) has released the BitLocker keys to the recovery environment, the resulting shell has full, unencrypted access to the storage volume.
TPM+PIN: The Shield That Cracked?
One of the most controversial claims made by Chaotic Eclipse is that YellowKey bypasses even TPM + PIN configurations. Traditionally, security experts have recommended the use of a PIN as a second factor to prevent BitLocker from automatically unlocking the drive during boot. If the researcher’s claims hold true, it would mean that the vulnerability exists in a layer that operates after the pre-boot authentication phase but before the environment is fully secured.
While the publicly released proof-of-concept (PoC) primarily targets TPM-only configurations—the default for millions of consumer and corporate laptops—the researcher has alluded to a “separate path” for PIN-protected systems. “TPM+PIN does not help; the issue is still exploitable regardless,” the researcher stated in a recent GitHub update. This assertion has caused a rift in the digital forensics community, with some experts calling for a total re-evaluation of full-disk encryption (FDE) security boundaries in the modern era of “Internet Archaeology.”
GreenPlasma and the Threat of Chained Exploitation
While YellowKey provides the initial access, GreenPlasma represents the second half of the researcher’s “zero-day drop.” GreenPlasma is a local privilege escalation (LPE) vulnerability targeting the Windows Collaborative Translation Framework (CTFMON). This service, which handles text input and language processing, has been a source of security flaws for years (most notably the “CTFLoader” vulnerabilities discovered by Tavis Ormandy in 2019).
GreenPlasma allows an unprivileged user to create arbitrary memory-section objects within directory objects that are normally reserved for the SYSTEM account. While the released PoC for GreenPlasma is “incomplete” and requires manual modification to achieve a full shell, it provides the necessary primitive to manipulate privileged services or kernel-mode drivers. When chained together, an attacker could use YellowKey to gain access to a disk and GreenPlasma to ensure absolute persistence and control over the operating system once it is booted, bypassing the traditional security hierarchy of Windows.
The Ethos of Digital Rebellion: Why Chaotic Eclipse Went Public
The disclosure of YellowKey and GreenPlasma is not just a technical event; it is a symptom of a fracturing relationship between independent researchers and major tech corporations. Chaotic Eclipse’s history with the Microsoft Security Response Center (MSRC) is one of documented friction. Previous exploits released by the researcher, such as BlueHammer and RedSun, were reportedly met with dismissiveness or “silent patches” that didn’t credit the discoverer.
The researcher’s rhetoric is steeped in the folklore of the “old guard” hackers. By calling the BitLocker bypass an intentional “backdoor,” Chaotic Eclipse is tapping into long-standing suspicions regarding the security of proprietary software. “The component that is responsible for this bug is not present anywhere else,” the researcher claimed, noting that the specific logic path in WinRE that allows for the FsTx replay doesn’t exist in the standard Windows kernel. This disparity is what led to the “backdoor” branding—a claim that Microsoft has implicitly denied by pointing toward its commitment to “coordinated vulnerability disclosure.”
A History of Discontent: BlueHammer and RedSun
To understand the severity of the May 14 drop, one must look at the researcher’s previous work:
- BlueHammer (CVE-2026-33825): A privilege escalation vulnerability that abused the Windows Defender update process. It allowed attackers to use Volume Shadow Copies to extract registry hives like SAM and SYSTEM.
- RedSun: An unassigned vulnerability that targeted the interaction between the Cloud Files API and opportunistic locks (oplocks), allowing for a similar escalation of privileges.
In both cases, Chaotic Eclipse claimed that Microsoft attempted to downplay the severity or ignore the findings until public PoCs were released. This pattern of “disgruntled disclosure” is becoming a 2026 trend, as researchers feel the bug bounty system has become too bureaucratic and corporate-centric.
Mitigation and the Future of Windows Recovery
As of May 15, 2026, there is no official patch for the YellowKey BitLocker bypass. The complexity of patching WinRE is a known bottleneck for Microsoft. Because WinRE is a separate image (Winre.wim), it often requires manual intervention or specialized update scripts to ensure the patch is applied to the recovery partition, rather than just the main OS. This was seen previously with CVE-2022-41099, where a similar WinRE-based bypass remained exploitable on many systems for years after the patch was released.
In the absence of a patch, security organizations are recommending the following defensive postures:
- Enforce BIOS/UEFI Passwords: Preventing unauthorized boot device selection is critical to stopping the USB-based YellowKey attack.
- Disable WinRE: For high-security environments, disabling the Windows Recovery Environment entirely (via
reagentc /disable) removes the attack surface, though it complicates legitimate system repair. - Monitor for Physical Access: Since YellowKey requires physical access to the device or the ability to write to the EFI partition, endpoint physical security should be prioritized.
- Pre-boot Authentication: Despite the researcher’s claims, a strong BitLocker PIN remains a significant barrier for the current public version of the exploit.
Conclusion: The Age of Internet Archaeology
The “Chaotic Eclipse” event marks a turning point in OS security research. We are entering an era of Internet Archaeology, where researchers are no longer looking for new features to exploit, but are instead digging through decades of legacy code—like Transactional NTFS—to find forgotten vulnerabilities. The YellowKey disclosure serves as a stark reminder that as long as “living” digital artifacts are carried forward into new operating systems, the risk of a buried backdoor remains.
With a “big surprise” promised for June’s Patch Tuesday, the saga of Chaotic Eclipse is far from over. For now, the cybersecurity world remains focused on the “geeky” details of NTFS transactions, waiting for Microsoft’s next move in this high-stakes game of digital rebellion.