Microsoft's June 2026 Patch Tuesday includes fixes for three actively exploited Windows zero-day vulnerabilities — publicly named YellowKey, GreenPlasma, and MiniPlasma — that allow attackers to gain SYSTEM-level privileges on fully patched Windows systems or bypass BitLocker drive protection.
The Three Zero-Days
YellowKey — SYSTEM Privilege Escalation
YellowKey is a local privilege escalation vulnerability in the Windows kernel. An authenticated attacker who exploits this flaw can elevate their privileges to SYSTEM level on a fully patched Windows system. The vulnerability was initially disclosed by a security researcher in May 2026 as part of a series of Windows zero-day drops following a dispute between Microsoft and the research community over disclosure practices.
Microsoft had previously come under fire for threatening legal action against researchers publishing zero-days, which some in the community argued led to coordinated disclosure of stockpiled vulnerabilities in retaliation.
GreenPlasma — SYSTEM Privilege Escalation
GreenPlasma is a second local privilege escalation zero-day, distinct from YellowKey and exploiting a different Windows component. Like YellowKey, it grants SYSTEM privileges to an authenticated attacker on a fully patched Windows machine. Both YellowKey and GreenPlasma were disclosed publicly via proof-of-concept code before patches were available.
Both flaws were flagged as actively exploited in the wild by the time Microsoft released patches, indicating threat actors had already operationalized them.
MiniPlasma — BitLocker Bypass
MiniPlasma targets BitLocker, Windows' built-in drive encryption system. The flaw allows an attacker with physical or remote access to retrieve or bypass BitLocker protection — potentially enabling access to encrypted drives without the correct credentials. This vulnerability is particularly concerning for enterprises relying on BitLocker for data-at-rest protection on laptops and workstations.
The MiniPlasma vulnerability had been under limited active exploitation, primarily by sophisticated threat actors targeting high-value targets.
Patch Tuesday June 2026 Scope
June 2026's Patch Tuesday is notably large, addressing 206 vulnerabilities in total — a record-setting monthly batch. In addition to the three zero-days, fixes include:
- Critical Remote Code Execution vulnerabilities in Windows network components
- Multiple Elevation of Privilege fixes across Windows services
- Security updates for Microsoft Office, Edge, and Azure services
Why These Zero-Days Matter
The combination of YellowKey, GreenPlasma, and MiniPlasma represents a potent attack chain. An attacker who gains initial access to a Windows system — through phishing, a web exploit, or supply chain compromise — can:
- Use YellowKey or GreenPlasma to escalate to SYSTEM privileges
- Leverage SYSTEM access to extract credentials, deploy ransomware, or establish persistence
- If BitLocker is in use, deploy MiniPlasma to access encrypted drives
This chain works even on fully patched Windows systems (prior to the June 2026 patches), meaning organizations running current Windows updates were still vulnerable.
Recommended Actions
- Apply the June 2026 Patch Tuesday updates immediately — Microsoft has released patches for all three zero-days
- Prioritize endpoint updates — YellowKey and GreenPlasma are particularly high-risk for environments where attackers may already have local access
- Review BitLocker configurations — Organizations relying on BitLocker for sensitive data protection should treat MiniPlasma as high-urgency
- Monitor EDR telemetry — Look for privilege escalation attempts or unexpected SYSTEM-level process creation
- Check CISA KEV — Verify whether these vulnerabilities have been added to CISA's Known Exploited Vulnerabilities catalog for federal compliance deadlines
Context: The Researcher Disclosure Dispute
The release of YellowKey and GreenPlasma before patches were available stems from a broader dispute between Microsoft and the security research community. After Microsoft's legal threat against researchers publishing zero-days in May 2026, several researchers responded by publicly releasing vulnerability details and proof-of-concept code without waiting for patches. Microsoft has since reversed course, stating it "will not pursue security researchers" — but the damage was done, and multiple Windows zero-days were already in the public domain.
This episode underscores the critical importance of healthy vulnerability disclosure ecosystems and the real-world consequences when that trust breaks down.