Microsoft rolled out the May 2026 Patch Tuesday updates on May 12, delivering Windows 11 cumulative update KB5089549 for versions 24H2 and 25H2. The release plugs 137 security holes across the Microsoft ecosystem, including Windows, Office, and other components, making it one of the larger monthly patching events in recent memory.

Unlike the smaller, more surgical out-of-band fixes that occasionally interrupt IT schedules, cumulative updates like KB5089549 bundle all prior quality improvements with the month’s fresh security patches. That means installing it on a current Windows 11 machine brings the operating system fully up to date, addressing everything from critical remote code execution flaws to privilege escalation bugs that could hand attackers the keys to a corporate network.

What’s Inside KB5089549

KB5089549 is a mandatory cumulative update. It automatically downloads and installs for most consumer devices configured with default Windows Update settings. Enterprise and education machines managed via WSUS or Microsoft Endpoint Configuration Manager receive the update according to administrator-defined ring policies. The patch applies to Windows 11 version 24H2 (the initial 2024 feature update) and version 25H2, Microsoft’s 2025 feature release that began rolling out in September 2025.

Microsoft categorizes the 137 fixed vulnerabilities as follows:
- 15 Critical
- 120 Important
- 2 Moderate

Five of the critical flaws affect Windows components that handle network packets, font parsing, or NTFS file system operations, all carrying CVSS scores of 8.8 or higher. Exploitation typically requires little user interaction beyond opening a malicious attachment or visiting a compromised website. Among the notable items:
- A remote code execution vulnerability in the Windows Kernel (CVE-2026-17651) allows an authenticated attacker with low privileges to execute arbitrary code in kernel mode.
- A privilege escalation flaw in the Print Spooler service (CVE-2026-17622) could let a local attacker gain SYSTEM rights, a vector all too familiar since the PrintNightmare saga.
- An elevation-of-privilege bug in the Windows Ancillary Function Driver for WinSock (CVE-2026-17687) that Microsoft rates as “Exploitation More Likely,” based on internal threat intelligence.

Office updates included in the larger May 2026 security release tackle 12 vulnerabilities across Word, Excel, and Outlook. Most are memory corruption issues that could lead to remote code execution if a user opens a specially crafted file. Outlook receives a patch for a spoofing vulnerability (CVE-2026-18034) that could allow an attacker to bypass the “Block Senders” list.

Microsoft Edge and Chromium-based vulnerabilities—28 in total—are also swept up in this Patch Tuesday cycle, although the browser updates deploy independently via the browser’s own auto-update mechanism.

Why a Full Restart Is Critical

“Reboot now” is the prompt every Windows user loves to dismiss. With KB5089549, ignoring that prompt leaves your machine in a half-patched state. Here’s why.

Cumulative updates modify hundreds of system files, registry hives, and in-memory services—many of which remain locked while Windows is running. The update installation writes replacement files to temporary staging folders, then schedules a pending file rename operation that executes during the next restart. Until that reboot happens, the old (vulnerable) kernel, drivers, and service binaries stay active. Task Manager will show winlogon.exe, svchost.exe, and other critical processes using the original, unpatched code paths.

Security patches are only effective once the new binaries are actually loaded into memory. A machine that has downloaded and installed KB5089549 but hasn’t restarted is still fully exposed to the vulnerabilities the patch is designed to fix. For the critical kernel and print spooler flaws in this update, an unrebooted system remains a sitting duck.

Windows does offer some live patching capabilities for certain server workloads via Azure Automanage Hotpatch, but for desktop operating systems, a cold reboot is the rule. Microsoft’s own telemetry indicates that roughly 30% of consumer devices remain unrebooted 72 hours after a cumulative update installs. That’s a dangerously long window, especially during the first week after Patch Tuesday when attackers reverse-engineer patches to develop exploits.

IT administrators should enforce reboot deadlines via Group Policy or Intune. The standard grace period for quality updates is 7 days, but that can be tightened to 24–48 hours for security-conscious environments. Even better, schedule active hours and automatic restart windows to coincide with overnight downtime.

Known Issues and Resolutions

No cumulative update arrives without some collateral damage, and KB5089549 follows the pattern. Microsoft’s official known-issues list for this build includes three items:

  • Windows Hello facial recognition failure on certain Surface devices. The device tries to use the camera but falls back to PIN or password. Microsoft is working on a resolution and suggests using the PIN as a workaround.
  • Printers using Internet Printing Protocol (IPP) over USB may not reconnect after waking from sleep. A reinstallation of the printer driver or a restart of the Print Spooler service typically restores connectivity.
  • A small subset of devices with older Realtek audio codecs experience no sound after update. Rolling back the audio driver to the previous version via Device Manager (> Sound, video and game controllers > Realtek Audio > Driver tab > Roll Back Driver) addresses this while Microsoft prepares a fix.

Additionally, users on forums report minor File Explorer glitches where the navigation pane flashes during folder navigation. The issue appears cosmetic and does not affect system stability. Restarting the Explorer process or a full reboot clears it up. Microsoft hasn’t acknowledged this in the official KB notes yet, but the feedback hub is collecting diagnostics.

How to Install KB5089549

For most users, the update installs automatically. To manually check:

  1. Open Settings > Windows Update.
  2. Click Check for updates.
  3. If KB5089549 appears, click Download & install.
  4. Restart the computer when prompted.

Business users can deploy the update through Microsoft Update Catalog by downloading the MSU file. The direct link to the catalog entry is in the reference section below. Offline installation via DISM or integrated servicing with Windows images is also fully supported.

Post-installation, the OS build number will change to:
- Windows 11 24H2: build 26100.3775
- Windows 11 25H2: build 26120.3775

Community Pulse

Feedback on Reddit and Windows Insider forums paints a mixed picture. Enthusiasts who install on day zero appear split between “smooth update, no incidents” and reports of the audio hiccup mentioned above. One thread on r/Windows11 with over 200 upvotes praises the patch for noticeably improving right-click context menu responsiveness on 25H2 machines—a long-standing complaint since the original Windows 11 launch. That improvement, while not documented in Microsoft’s release notes, might be a side effect of Explorer.exe reliability fixes that the KB notes reference under “Quality improvements.”

IT admins on the Patch Tuesday Megathread in r/sysadmin are less thrilled about the size of the download: KB5089549 clocks in at 1.2 GB for the x64 version, straining VPN-connected laptops on slow links. Several admins recommend deploying via Delivery Optimization peer-to-peer within LAN boundaries to lessen the bandwidth hit.

The security community is zeroing in on the “Exploitation More Likely” label assigned to the WinSock driver bug. Researchers at Morphisec and Cisco Talos have teased proof-of-concept code demonstrations, indicating that reliable exploitation is plausible once the patch is reverse-engineered. This elevates the urgency for end users and enterprises alike to apply the update and, critically, to reboot.

Beyond Windows: The Broader Ecosystem Patch

While KB5089549 is the centerpiece for Windows 11, Microsoft’s May 2026 Patch Tuesday addresses vulnerabilities in a wide range of products:
- Windows 10 version 22H2 receives KB5089548, covering the same kernel and driver-level CVEs.
- Windows Server 2022 and 2025 get analogous updates.
- SharePoint Server patches fix three cross-site scripting (XSS) vulnerabilities.
- Visual Studio updates close two remote code execution risks for developers.
- .NET and ASP.NET Core security updates cover denial-of-service threats.

The total 137 CVEs span 11 product families. Nine of the critical-rated flaws affect the Windows operating system directly, underlining why OS patches remain the first line of defense every month.

Recommendations for Patch Management

For the average Windows 11 user, the advice is simple: let Windows Update do its job, and reboot when asked. Avoid third-party “update blockers” or scripts that disable Windows Update services; they leave systems vulnerable to the exact flaws KB5089549 fixes.

Enterprise IT teams should:
- Test KB5089549 in a pilot ring focusing on the known-audio and printer issues, especially in environments relying on IPP-over-USB setups.
- Set automatic deployment deadlines with forced reboots to shrink the window of vulnerability.
- Monitor the Microsoft Security Update Guide for any late additions to the known-issues list.
- Use attack surface reduction rules and credential guard to add defense-in-depth against the privilege escalation flaws patched this month.

With threat actors constantly scanning for unpatched systems, the gap between Patch Tuesday release and full deployment in an organization should ideally not exceed 48 hours. Automation tools like Microsoft Intune Update Rings or third-party patch management solutions make this increasingly achievable.

Looking Ahead

Microsoft has not indicated any change to the Patch Tuesday cadence. The next scheduled release will arrive on June 9, 2026. Until then, KB5089549 and its accompanying restarts will be the critical line of defense. Post-install, users can also take advantage of the Windows Update “Pause updates” feature if they want to defer future quality updates for up to 35 days—but pausing for convenience shouldn't extend to avoiding the reboot that activates the protection already downloaded.

As always, the lesson remains: installing patches is only half the equation. Without the restart, those 137 fixes sit on disk, inert, while the system runs old, vulnerable code. Hit that restart button.