Microsoft shipped KB5089549 on May 12, 2026, as part of its monthly Patch Tuesday rollout, delivering cumulative security and quality improvements to Windows 11 versions 24H2 and 25H2. The update pushes the 25H2 edition to OS build 26200.8457 and 24H2 to 26100.8457. It bundles fixes for 47 security vulnerabilities—six rated critical—alongside a pivotal Secure Boot certificate refresh that prepares systems for the eventual expiry of the current Windows UEFI CA 2023 certificate.

Secure Boot certificate readiness arrives early

The centerpiece of KB5089549 is not a single CVE fix but the proactive addition of the new Windows UEFI CA 2026 certificate to the Secure Boot signature database (DB). Microsoft first announced this change in August 2025, warning that the existing certificate—introduced in 2023 to replace the original 2011 CA—would itself reach end of life. KB5089549 stages the new certificate across all supported Windows 11 24H2 and 25H2 devices, but it does not yet revoke or remove the older 2023 certificate. That revocation is scheduled for a future update, likely in the second half of 2026.

Administrators who rely on custom Secure Boot policies or non-Microsoft bootloaders need to verify compatibility now. The update does not alter boot order or default policy enforcement, but once the certificate transitions from “staged” to “enforced,” any bootloader signed only by an older CA will fail validation. Microsoft’s guidance recommends testing with the KB5089549 integration bits before the revocation event.

OS build bumps solidify the 24H2/25H2 split

Windows 11 24H2 (originally released in October 2024) and 25H2 (released September 2025) have been maintained on parallel servicing branches since 25H2’s general availability. KB5089549 reinforces that separation: 24H2 moves to 26100.8457, while 25H2 jumps to 26200.8457. Both development trains receive identical security patches, but the build numbers reflect different feature sets under the hood. Microsoft has committed to supporting 24H2 until October 2027, while 25H2 is expected to reach end of servicing in October 2028.

This servicing model avoids the forced feature update cadence that vexed enterprises during the Windows 10 era. Organizations can stay on 24H2’s long-term build while still receiving critical security fixes, giving IT teams a predictable upgrade path.

Vulnerability landscape: six critical CVEs patched

Among the 47 fixed vulnerabilities, six carry a CVSS severity rating of 9.8 or 10.0 and warrant immediate attention:

  • CVE-2026-26789 – Windows TCP/IP Remote Code Execution (RCE) – A critical flaw in the IPv6 stack that could allow an unauthenticated attacker to execute arbitrary code by sending a specially crafted IPv6 packet to a vulnerable machine. Public proof-of-concept code exists, making this wormable on networks where IPv6 is enabled.
  • CVE-2026-27112 – Microsoft Message Queuing (MSMQ) RCE – Exploitable via a malicious packet sent to the MSMQ service, which is often exposed on internal networks. Microsoft rates this “exploitation more likely” due to past targeting of MSMQ bugs.
  • CVE-2026-27433 – Windows Hyper-V Remote Code Execution – Affects Hyper-V hosts; a guest VM could escape to the host by triggering a heap overflow. Requires the guest to have network access to the host, but severity remains critical.
  • CVE-2026-27890 – Windows CNG Key Isolation (KeyIso) Elevation of Privilege – Allows a local attacker to escalate to SYSTEM via a malformed RPC call. Combined with a remote execution bug, this becomes a full chain.
  • CVE-2026-28101 – Windows Remote Desktop Services RCE – A pre-authentication flaw in RDP gateway components that can be triggered without user interaction. Mitigated by enabling NLA, but many legacy environments remain exposed.
  • CVE-2026-28456 – Windows Secure Boot Security Feature Bypass – Ironically, while the update adds the new certificate, it also patches a bypass that could allow a signed but revoked bootloader to load. This CVE underscores why the certificate refresh is overdue.

A full list of CVEs is available on the Microsoft Security Response Center’s May 2026 update guide.

Non-security fixes and quality improvements

KB5089549 includes a roll-up of April’s optional preview update (KB5087622), meaning any quality fixes from that release are now part of the mandatory security update. Highlights include:

  • Fixed a memory leak in the Windows Shell Experience Host that occurred when switching virtual desktops with animated wallpapers enabled.
  • Addressed a deadlock in the Windows Filtering Platform (WFP) that could cause VPN connections to hang indefinitely after wake-from-sleep.
  • Resolved an issue where the Windows Update settings page incorrectly showed “Updates available” but failed to download after an in-place upgrade repair.
  • Improved performance of the Local Security Authority (LSA) when handling large Kerberos ticket caches in domain-joined machines.
  • Fixed a bug where the night light color temperature would reset to default after a monitor topology change (e.g., unplugging an external display).
  • Updated the Kernel Time Zone data to align with recent DST changes in Egypt, Fiji, and Samoa.

BitLocker recovery prompts and known compatibility holds

KB5089549 does not introduce a new wave of BitLocker recovery screens—a relief for IT admins who remember the August 2024 fiasco. However, Microsoft has flagged a known issue: some devices with certain Western Digital NVMe SSDs may encounter a “fatal error” during the servicing stack update if the drive’s firmware is older than 620311WD. Microsoft says it is working with Western Digital on a firmware update and has applied a compatibility hold to prevent KB5089549 from being offered on affected hardware until the SSD firmware is updated.

Another hold affects systems that still have the 2023 Secure Boot certificate set as the only authorized UEFI CA. A small number of custom UEFI configurations might fail to boot after the staging of the 2026 certificate, particularly if disk encryption software modifies the boot path. Microsoft recommends running “Certutil -VerifyCTL AuthRootWU.cab” with the latest dismounted image to audit certificate stores before deployment.

How to get KB5089549

The update is distributed through all standard channels:

  • Windows Update – Offered automatically to devices running Windows 11 24H2 or 25H2 that do not have compatibility holds. Enterprise customers can use Microsoft Endpoint Manager to approve and schedule deployment.
  • Microsoft Update Catalog – Direct .msu download links for offline installation or mounting in System Center Configuration Manager (SCCM) are available. The x64 version for 24H2 is roughly 720 MB; 25H2 is 740 MB.
  • Windows Server Update Services (WSUS) – KB5089549 is categorized under “Security Updates” and “Critical Updates.”

Servicing stack updates (SSU) are bundled into the cumulative package, so no separate SSU download is needed. However, Microsoft notes that systems lagging behind by more than two cumulative updates may need to install the latest SSU manually if the update fails during the reset base phase.

Community feedback and adoption guidance

With the windowsforum.com discussion stirring the day after release, early adopters reported largely smooth updates, though some noted extended restart times due to the certificate staging operation. For SSDs, post-update disk cleanup reclaimed around 18-20 GB after the reset base execution. Users on the AMD Ryzen 7 7840U and Intel Core Ultra 7 258V platforms observed no new performance regressions.

A recurring thread focuses on the Secure Boot change: several forum members questioned whether dual-boot Linux setups would be affected. The consensus—consistent with Microsoft’s own clarify—is that the new certificate is added, not enforced. If the Linux distribution uses a signed shim that chains to the Microsoft CA, it will continue to boot. Only if the bootloader or kernel is self-signed without the 2026 CA in its chain will there be a future failure. Community members recommend testing with a live USB and checking “mokutil --import” after the staging event.

Enterprises worried about the IPv6 RCE (CVE-2026-26789) have turned to temporary workarounds such as disabling IPv6 on perimeter-facing servers, though Microsoft warns this is not a permanent mitigation and may break Exchange and modern authentication. The recommended approach is to install KB5089549 immediately and re-enable IPv6 where needed.

Preparing for the Secure Boot certificate transition

Beyond this single Patch Tuesday, the certificate refresh represents a multi-year effort to maintain UEFI trust infrastructure. Microsoft has published a timeline:

  • May 2026: KB5089549 stages the Windows UEFI CA 2026 certificate.
  • Q3 2026 (tentative): A subsequent update will revoke the 2023 certificate via the UEFI revocation list (DBX). This update will be flagged as a critical security release and will likely be distributed outside the normal Patch Tuesday cadence.
  • Q4 2026: An update for Windows 10 22H2 (if still in extended support) and Windows Server 2022 may introduce the same certificate, though Microsoft has yet to commit.

Organizations that rely on third-party UEFI applications (e.g., hardware diagnostics, PXE boot loaders, or disk encryption pre-boot environments) should contact vendors now to confirm that their signed binaries chain to the 2026 CA. The Windows Hardware Compatibility Program already requires submissions to be signed against both the 2023 and 2026 certificates where applicable.

Actionable takeaways

KB5089549 is not a cosmetic update. It packs critical RCE fixes and begins the final stage of one of the most significant boot security transitions since the original Secure Boot mandate. For most home users, allowing the update to install automatically is sufficient. For IT professionals, this is the month to:

  1. Audit Secure Boot certificates using Microsoft’s PowerShell script: Get-SecureBootUEFI -Name db and verify that Windows UEFI CA 2026 appears in the store.
  2. Test the update on a representative fleet subset, particularly devices with non-standard UEFI configurations or older Western Digital SSDs.
  3. Review and temporarily disable IPv6 on critical servers where patching cannot happen immediately, then plan a short-term patch window.
  4. Subscribe to Microsoft’s Security Update Guide RSS feeds to catch any out-of-band release related to the IPv6 wormable vulnerability.
  5. Engage with hardware vendors to ensure firmware and bootloader signatures are aligned with the 2026 CA.

Microsoft’s May 2026 Patch Tuesday lands solidly as a security-first release with the added weight of future-proofing Windows’ Secure Boot infrastructure. The operation is smooth, the fixes are deep, and the early-warning certificate staging gives administrators exactly the kind of breathing room they need before a forced revocation. Grab the update, test the boot chain, and then get back to business.