Microsoft released the May 2026 hotpatch update KB5089466 for Windows 11 Enterprise on May 12, 2026. The update targets devices running version 25H2 and 24H2, boosting OS builds to 26200.8390 and 26100.8390 respectively. It delivers targeted security fixes for the Simple Service Discovery Protocol (SSDP) and Remote Desktop Protocol (RDP), along with defense-in-depth strengthening. Unlike traditional cumulative updates, KB5089466 qualifies as a hotpatch—meaning it can install on eligible systems without triggering a reboot.

What makes KB5089466 a hotpatch?

Hotpatching modifies in-memory code while Windows is running, slashing downtime for critical systems. Enterprise customers with a Windows 11 Enterprise E3/E5 or Microsoft 365 E3/E5 license can deploy these updates through Windows Autopatch, Intune, or other management tools. KB5089466 applies cleanly to machines that already have the March 2026 hotpatch baseline (KB5076789) installed. Organizations not yet on the hotpatch train will receive the same fixes in the next regular monthly cumulative update, scheduled for June 9, 2026.

New OS builds and supported versions

After installing KB5089466, Windows 11 Enterprise devices will display the following OS build numbers:

Version Old Build New Build
25H2 (2025 Update) 26200.8234 26200.8390
24H2 (2024 Update) 26100.8130 26100.8390

These builds are exclusive to the hotpatch channel. The general availability monthly update for June will carry build numbers above .9000. Microsoft recommends that hotpatch-enabled devices stay on the hotpatch track to avoid reboots and maintain rapid patch cycles.

Security and quality improvements

KB5089466 addresses two distinct vulnerabilities, along with several reliability improvements that have been backported from insider builds.

SSDP memory leak (no CVE)
A memory leak in the SSDP service (ssdpsrv.dll) caused non-paged pool memory to inflate over several days, particularly on machines that frequently discover network printers, media servers, or UPnP devices. This led to gradual performance degradation and, on long-running servers, could trigger a system hang. The fix corrects the asynchronous cancellation logic in the SSDP discovery thread, properly freeing IO-completion packets. Systems with heavy SSDP traffic should see non-paged pool usage return to normal levels within hours.

RDP authentication bypass (CVE-2026-21839)
A flaw in the Remote Desktop Gateway component allowed an attacker to bypass certificate-based authentication by sending a crafted sequence of HTTP/2 frames. The vulnerability carries a CVSS score of 7.5 and was separately addressed for Windows Server 2025 in a concurrent out-of-band release. KB5089466 updates rdgateway.exe and its supporting libraries to validate the signature chain before establishing a session. Organizations running RD Gateway should prioritize this update, even if they do not usually deploy hotpatches, by manually applying the full cumulative update from the Microsoft Update Catalog.

Windows Defender kernel-attack mitigations
The hotpatch also updates mpfilter.sys and mpengine.dll to detect a pattern of Bring Your Own Vulnerable Driver (BYOVD) attacks that exploit a rarely used kernel IOCTL path. The new signatures hunt for the presence of a driver with a known bad certificate thumbprint and trigger memory isolation warnings.

Start menu stability fix
A subset of users on 25H2 had reported Start menu lock-ups when hovering over live tiles that update badge counts. The hotpatch replaces a stale UI controller component, eliminating the 2–3 second freeze.

SSDP fixes in depth

SSDP underpins device discovery in many corporate environments. The protocol uses UDP port 1900 and HTTPMU multicasts. When a device leaves the network or stops responding, the SSDP service must clean up its internal hash table. The previous implementation leaked a small amount of memory with each cleanup cycle—typically 64 bytes per orphaned device entry. On networks with thousands of transient IoT devices or discovery-enabled applications, the leak accumulated quickly.

KB5089466 rewrites the hash-table cleanup in ssdpcommon.dll. It now uses a lock-free, reference-counted map that automatically reclaims memory when the last reference to a device node drops. Microsoft has also increased the default network discovery heartbeat interval from 60 seconds to 120 seconds to reduce SSDP chatter—a change that system administrators can override via the registry key HKLM\SYSTEM\CurrentControlSet\Services\SSDPSRV\Parameters.

RDP improvements

Remote Desktop Protocol remains a prime target for attackers. CVE-2026-21839 exploited a gap in how the RD Gateway validates client certificates during the TLS 1.3 handshake. An attacker positioned in a man-in-the-middle scenario could strip the certificate and replace it with one signed by a compromised root CA that the target server has in its trusted store. The hotpatch ensures strict certificate pinning, checking that the certificate's key usage field permits client authentication and that the issuer matches a trusted enterprise CA defined in the RD Gateway configuration.

Additionally, KB5089466 resolves a regression introduced in the April 2026 preview update where Remote Desktop sessions could drop when the client negotiated AVC420 hardware encoding. The fix updates the graphics driver abstraction layer to correctly synchronize direct-memory-access buffers between the GPU and the remote session host.

Known issues

  • Third-party VPN clients
    Cisco AnyConnect 5.1 and earlier, as well as SonicWall NetExtender 10.2.0, may fail to establish a tunnel after applying the hotpatch due to a change in the NDIS filter driver stack. Microsoft and the vendors are coordinating a fix. In the interim, administrators can exclude these systems from the hotpatch through Intune rings.

  • Windows Update service restart
    On some devices managed by Configuration Manager with dual delivery optimization, the Windows Update service does not automatically resume after the hotpatch installs. Running net stop wuauserv && net start wuauserv restores normal operation.

  • App-V script failures
    An App-V 5.1 script that calls the Get-WmiObject Win32_LogicalDisk cmdlet may time out. Microsoft suggests using the Get-CimInstance cmdlet as a permanent workaround.

How to install KB5089466

Via Intune hotpatch policy:
Devices enrolled in a hotpatch policy will receive the update automatically within 24 hours of release. No user or admin action is required.

Via Windows Update for Business:
Admins can select “Quality updates” and check the “Include hotpatch updates” checkbox. The update will appear as an optional quality update starting May 12, 2026.

Manual download:
Enterprises that need offline installers can download the MSU file from the Microsoft Update Catalog. The catalog lists separate packages for 24H2 (x64/ARM64) and 25H2 (x64/ARM64).

Prerequisite:
The March 2026 hotpatch baseline KB5076789 must be installed. If it is not, the dedicated installer will refuse and direct you to install the baseline first.

For home and non-hotpatch users

KB5089466 is exclusive to Windows 11 Enterprise editions. Windows 11 Pro and Home users will receive the SSDP and RDP fixes—minus the hotpatch technology—in the June 2026 Patch Tuesday update (KB5089601, tentatively). If CVE-2026-21839 poses an urgent risk, Microsoft recommends temporarily disabling RD Gateway on stand-alone Pro machines until the June update ships.

Looking ahead

Microsoft continues to expand the hotpatch surface. The May 2026 update adds eight more DLLs to the in-memory replacement engine, covering kernel-mode components like tcpip.sys and ntoskrnl.exe. This signals a future where major vulnerability mitigations—not just quality fixes—will arrive without reboots. For enterprise IT teams, the promise of drastically reduced patch windows is inching closer, though third-party software compatibility remains an ongoing challenge. The company’s internal telemetry suggests that organizations using hotpatch have seen a 62% drop in helpdesk calls related to post-update reboots.

KB5089466 is a modest but meaningful step in that direction, addressing real-world pain points in device discovery and remote connectivity.