WinRE

Winsage
June 30, 2026
Microsoft has released three optional updates for Windows 11: KB5095186, KB5095615, and KB5102558. - KB5095186 is for Windows 11 26H1 on Snapdragon X2 systems and upgrades the Windows recovery environment (WinRE) to version 10.0.28000.2335. - KB5095615 also improves the WinRE, updating it to version 10.0.26100.8737. - KB5102558 refines Windows setup binaries and related files for feature updates. These updates can be accessed through Windows Update in the Settings app, and no restart is required after installation.
Winsage
June 28, 2026
Microsoft released a preview update identified as C-release under KB5095093, along with new dynamic updates to enhance the Windows experience. Dynamic updates refine the Windows Recovery process and improve the setup experience by updating the Windows Recovery Environment (WinRE) and Setup file binaries. These updates ensure a smoother transition during upgrades and preserve Language Pack (LP) and Features on Demand (FODs) content. The updates include: - KB5095186: Safe OS Dynamic Update for Windows 11, version 26H1, enhancing WinRE to version 10.0.28000.2335. - KB5102558: Setup Dynamic Update for Windows 11, versions 24H2 and 25H2, improving setup binaries and files for feature updates. - KB5095615: Safe OS Dynamic Update for Windows 11, versions 24H2 and 25H2, enhancing WinRE to version 10.0.26100.8737. These updates will be automatically downloaded and installed through the Windows Update channel.
Winsage
June 15, 2026
A cybersecurity researcher known as “Nightmare Eclipse” has revealed two zero-day exploits threatening Windows systems: RoguePlanet and GreatXML. RoguePlanet targets Microsoft Defender, allowing attackers to execute privileged actions and gain SYSTEM-level access on Windows machines. It is a local privilege escalation vulnerability that remains effective on fully updated systems. GreatXML claims to bypass BitLocker disk encryption by manipulating the Windows Recovery Environment, potentially granting access to protected files. However, its effectiveness may be overstated, as it might require administrator-level access. Microsoft advises organizations to implement security updates, treat lost or accessible devices as high-risk, enforce stricter policies, and monitor threat intelligence to mitigate exposure to these vulnerabilities.
Winsage
June 14, 2026
Microsoft released Patch Tuesday updates KB5094126 and KB5093998 for Windows 11, and KB5094127 for Windows 10. New Dynamic Update packages were introduced to enhance user experience by preserving Language Pack and Features on Demand content during upgrades. The updates include: - KB5095185: Safe OS Dynamic Update for Windows 11, version 26H1, improving WinRE to version 10.0.28000.2269. - KB5094149: Safe OS Dynamic Update for Windows 11, versions 24H2 and 25H2, enhancing WinRE to version 10.0.26100.8655. - KB5095971: Setup Dynamic Update for Windows 11, version 23H2, refining setup binaries for feature updates. - KB5094156: Safe OS Dynamic Update for Windows 11, version 23H2, improving WinRE to version 10.0.22621.7219. - KB5098815: Windows Recovery Environment update for Windows 10, versions 21H2 and 22H2, applying Safe OS Dynamic Update (KB5094154) to WinRE. - KB5094154: Safe OS Dynamic Update for Windows 10, versions 21H2 and 22H2, enhancing WinRE to version 10.0.19041.7417. - KB5094153: Safe OS Dynamic Update for Windows 10, version 1809 and Windows Server 2019, improving WinRE to version 10.0.17763.8880. - KB5094152: Safe OS Dynamic Update for Windows 10, version 1607 and Windows Server 2016, enhancing WinRE to version 10.0.14393.9234. These updates will be automatically downloaded and installed via the Windows Update channel.
Winsage
June 11, 2026
Security researcher Chaotic Eclipse has released a Windows BitLocker bypass tool named GreatXML, following a previously disclosed exploit targeting Microsoft Defender. The discovery was made accidentally and took four hours. A critical vulnerability exists for users who have used the Windows Defender Offline Scan feature, making them susceptible to the BitLocker bypass. The exploit involves copying an XML file and a recovery folder to the recovery partition and rebooting into the Windows Recovery Environment (WinRE). If the Defender offline scan was not initiated, users must log in to start it or find a way to boot into WinRE in offline scan state. GreatXML is the second BitLocker bypass tool released by Chaotic Eclipse, following the earlier exploit known as YellowKey (CVE-2026-45585), which has been patched by Microsoft.
Winsage
May 23, 2026
BitLocker, a security feature for data protection, has a vulnerability identified as CVE-2026-45585, also known as YellowKey, which allows unauthorized access to encrypted data on Windows 11 versions 24H2, 25H2, 26H1, and Windows Server 2025. This flaw does not compromise BitLocker’s encryption but affects the recovery environment supporting it. The vulnerability can be exploited locally through the Windows Recovery Environment (WinRE) by an attacker with physical access, who can trigger an unrestricted shell and access the BitLocker-protected volume. Microsoft has provided two mitigation strategies: modifying the WinRE image to remove the autofstx.exe entry and transitioning from TPM-only protection to a TPM+PIN requirement at startup. The exploit poses challenges for detection, as it occurs pre-boot and currently lacks vendor-published indicators of compromise. Organizations using BitLocker for unattended devices are particularly at risk, as the vulnerability can lead to loss of confidentiality if an attacker gains access before the legitimate user.
Winsage
May 22, 2026
A security researcher known as Nightmare-Eclipse revealed a vulnerability in Windows 11, named YellowKey, which allows attackers to access BitLocker-encrypted drives through the Windows Recovery Environment. Microsoft acknowledged the vulnerability, assigned it the identifier CVE-2026-45585, and criticized the public sharing of its proof of concept. Currently, there is no patch available for the BitLocker bypass, but physical access to the device provides some protection. The vulnerability does not exist in Windows 10 due to differences in the Windows Recovery Environment. The attack requires a stolen Windows 11 laptop and a USB stick, and the vulnerable filesystems include NTFS, FAT32, and exFAT. Nightmare-Eclipse speculated that the bypass may function as a backdoor, while Microsoft referred to it as a "security feature bypass vulnerability."
Search