
BitLocker’s Physical‑Access Flaw Triggers June Patch Rush (CVE-2026-50507)
Microsoft disclosed a BitLocker vulnerability (CVE-2026-50507) that lets an attacker with physical access bypass BitLocker Device Encryption and read data on the drive. The flaw, mapped to CWE-306, affects a broad range of Windows clients and servers from Windows 10/11 to Windows Server 2012 R2–2025, with a CVSS v3.1 base score of 6.8. Patches were released on June 9, 2026 as part of the June Patch Tuesday updates (KB5094041, KB5094122, KB5094123, KB5094126, KB5094127, KB5094128, KB5095051). Exploitation requires physical access, low complexity, no privileges, and no user interaction, and proof‑of‑concept code exists. Guidance: deploy the June 2026 updates promptly, verify BitLocker health, enforce TPM+PIN where possible, and strengthen physical security and incident response for unpatched or remote devices until patches are fully rolled out.