KB5078736 is a March 10, 2026 security hotpatch update for Windows Server 2025 systems. This update addresses multiple security vulnerabilities and updates the OS build to 26100.32463 without requiring a system restart, utilizing Microsoft's hotpatch technology for zero-downtime security updates.
KB5078736Windows ServerWindows Server
KB5078736 — March 2026 Security Hotpatch for Windows Server 2025
KB5078736 is a March 2026 security hotpatch update for Windows Server 2025 that addresses critical vulnerabilities without requiring a system restart, updating the OS build to 26100.32463.
Emanuel DE ALMEIDAKB5078736 is a March 2026 security hotpatch update for Windows Server 2025 that addresses critical vulnerabilities without requiring a system restart, updating the OS build to 26100.32463.
Overview
In This Article
- Issue Description
- Root Cause
- 1Patches remote code execution vulnerability in Windows Remote Management (CVE-2026-0847)
- 2Resolves privilege escalation vulnerability in Windows Server Core (CVE-2026-0848)
- 3Fixes information disclosure vulnerability in Active Directory Domain Services (CVE-2026-0849)
- 4Addresses denial of service vulnerability in HTTP.sys driver (CVE-2026-0850)
- 5Updates Windows Defender Application Control policy enforcement
- Installation
- Known Issues
- Frequently Asked Questions
Applies to
Windows Server 2025Windows Server 2025 (Server Core installation)
Issue Description
Issue Description
This security hotpatch addresses multiple vulnerabilities in Windows Server 2025 that could potentially allow:
- Remote code execution through compromised network services
- Elevation of privilege attacks on domain-joined servers
- Information disclosure through memory corruption vulnerabilities
- Denial of service attacks targeting core system components
- Security bypass vulnerabilities in authentication mechanisms
Systems running Windows Server 2025 with build numbers prior to 26100.32463 are affected by these security vulnerabilities. The hotpatch technology allows these critical fixes to be applied immediately without service interruption.
Root Cause
Root Cause
The vulnerabilities addressed by KB5078736 stem from insufficient input validation in several Windows Server components, memory management issues in kernel-mode drivers, and improper handling of authentication tokens in network services. These issues were identified through Microsoft's security research and responsible disclosure from external security researchers.
1
Patches remote code execution vulnerability in Windows Remote Management (CVE-2026-0847)
This fix addresses a critical remote code execution vulnerability in Windows Remote Management (WinRM) service. The vulnerability allowed authenticated attackers to execute arbitrary code with SYSTEM privileges by sending specially crafted requests to the WinRM service. The hotpatch modifies the request validation logic in winrm.dll and WsmSvc.dll to properly sanitize incoming requests and prevent buffer overflow conditions.
Note: This fix is applied without restarting the WinRM service, maintaining remote management capabilities during the update process.
2
Resolves privilege escalation vulnerability in Windows Server Core (CVE-2026-0848)
Addresses a privilege escalation vulnerability specific to Windows Server Core installations where local users could gain SYSTEM privileges through manipulation of service control manager operations. The hotpatch updates the service control manager (services.exe) to implement additional permission checks and prevent unauthorized service modifications. This fix ensures proper validation of service creation and modification requests from non-privileged users.
3
Fixes information disclosure vulnerability in Active Directory Domain Services (CVE-2026-0849)
Resolves an information disclosure vulnerability in Active Directory Domain Services that could allow authenticated users to access sensitive directory information beyond their authorized scope. The hotpatch modifies the LDAP query processing engine in ntdsai.dll to enforce proper access controls and prevent information leakage through crafted LDAP queries. This fix applies to domain controllers running Windows Server 2025.
4
Addresses denial of service vulnerability in HTTP.sys driver (CVE-2026-0850)
Patches a denial of service vulnerability in the HTTP.sys kernel driver that could cause system crashes when processing malformed HTTP requests. The hotpatch updates the request parsing logic in http.sys to handle edge cases in HTTP header processing and prevent kernel memory corruption. This fix protects web servers and applications using HTTP.sys, including IIS and .NET applications.
5
Updates Windows Defender Application Control policy enforcement
Enhances Windows Defender Application Control (WDAC) policy enforcement mechanisms to prevent bypass techniques discovered in recent security research. The hotpatch updates the code integrity subsystem in ci.dll and kernel components to strengthen policy validation and prevent unauthorized code execution. This improvement affects systems with WDAC policies enabled and provides additional protection against advanced persistent threats.
Installation
Installation
KB5078736 is delivered automatically through Windows Update for Windows Server 2025 systems with hotpatch enabled. The update is also available through the following channels:
Windows Update
Automatic delivery begins March 10, 2026, for systems with automatic updates enabled. Hotpatch-enabled systems receive priority deployment.
Microsoft Update Catalog
Manual download available from Microsoft Update Catalog. File size: approximately 45 MB for x64 systems.
Windows Server Update Services (WSUS)
Available for enterprise deployment through WSUS, System Center Configuration Manager (SCCM), and Microsoft Intune.
Prerequisites
- Windows Server 2025 with hotpatch capability enabled
- Minimum 100 MB free disk space
- No prior updates required
- System restart: Not required (hotpatch technology)
Note: Systems without hotpatch enabled will receive this update through the regular monthly cumulative update cycle and will require a restart.
Verification Commands
Get-HotFix -Id KB5078736
Get-ComputerInfo | Select WindowsVersion, WindowsBuildLabExKnown Issues
Known Issues
Microsoft has identified the following known issues with KB5078736:
Hotpatch Service Temporary Unavailability
Some systems may experience a brief period (1-2 minutes) where the Windows Update Hotpatch service appears unavailable during the update process. This is expected behavior and resolves automatically.
Workaround: No action required. The service will resume normal operation after the hotpatch completes.
Event Log Entries
Systems may log Event ID 1074 in the System event log indicating a hotpatch installation. This is informational and does not indicate an error.
Performance Monitoring Tools
Third-party performance monitoring tools may briefly report increased CPU usage during hotpatch application. This is temporary and typically lasts less than 30 seconds.
Important: If you experience issues after installing this hotpatch, you can remove it using the
Remove-WindowsPackage PowerShell cmdlet or through Programs and Features in Control Panel.Overview
KB5078736 is a critical security hotpatch update released on March 10, 2026, for Windows Server 2025 systems. This update leverages Microsoft's hotpatch technology to deliver security fixes without requiring a system restart, ensuring continuous server availability while addressing multiple high-priority vulnerabilities. The update advances the OS build number to 26100.32463 and includes fixes for remote code execution, privilege escalation, information disclosure, and denial of service vulnerabilities.
Security Vulnerabilities Addressed
This hotpatch update resolves five critical security vulnerabilities identified through Microsoft's ongoing security research and external security disclosures:
CVE-2026-0847: Windows Remote Management Remote Code Execution
A critical vulnerability in the Windows Remote Management service that allows authenticated attackers to execute arbitrary code with SYSTEM privileges. The vulnerability stems from insufficient input validation in WinRM request processing, potentially allowing attackers to gain complete control of affected servers.
CVE-2026-0848: Windows Server Core Privilege Escalation
A privilege escalation vulnerability specific to Windows Server Core installations where local users can elevate their privileges to SYSTEM level through manipulation of service control operations. This vulnerability affects the core service management infrastructure.
CVE-2026-0849: Active Directory Domain Services Information Disclosure
An information disclosure vulnerability in Active Directory Domain Services that could allow authenticated users to access directory information beyond their authorized permissions through crafted LDAP queries.
CVE-2026-0850: HTTP.sys Denial of Service
A denial of service vulnerability in the HTTP.sys kernel driver that can cause system crashes when processing specially crafted HTTP requests, affecting web servers and applications using HTTP.sys.
Affected Systems
This update applies to the following Windows Server 2025 editions:
| Operating System | Edition | Architecture | Build Range |
|---|---|---|---|
| Windows Server 2025 | Standard, Datacenter | x64 | 26100.1 - 26100.32462 |
| Windows Server 2025 | Server Core | x64 | 26100.1 - 26100.32462 |
Hotpatch Technology
This update utilizes Microsoft's hotpatch technology, which allows critical security updates to be applied to running systems without requiring a restart. Hotpatch works by:
- Modifying running code in memory without stopping services
- Applying security fixes to active processes and kernel components
- Maintaining system availability during the update process
- Providing immediate protection against security vulnerabilities
Note: Hotpatch is available on Windows Server 2025 systems with the hotpatch feature enabled. Systems without this feature will receive updates through the standard monthly cumulative update process.
Installation Requirements
Before installing KB5078736, ensure your system meets the following requirements:
- Operating System: Windows Server 2025 (any edition)
- Hotpatch Status: Enabled (for zero-downtime installation)
- Disk Space: Minimum 100 MB available on system drive
- Network Connectivity: Required for Windows Update delivery
- Administrative Privileges: Required for installation
Deployment Methods
Automatic Deployment
Systems configured for automatic updates will receive KB5078736 automatically starting March 10, 2026. Hotpatch-enabled systems receive priority deployment to minimize exposure to security vulnerabilities.
Manual Deployment
Administrators can manually install the update using:
- Windows Update: Check for updates through Settings > Update & Security
- PowerShell:
Install-WindowsUpdate -KBArticleID KB5078736 - Microsoft Update Catalog: Download and install manually
Enterprise Deployment
Enterprise environments can deploy KB5078736 through:
- WSUS: Approve for deployment to server groups
- SCCM: Create software update deployment
- Microsoft Intune: Configure update policies for managed devices
Post-Installation Verification
After installation, verify the update was applied successfully:
# Check installed updates
Get-HotFix -Id KB5078736
# Verify OS build number
(Get-ItemProperty "HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion").CurrentBuild
# Check hotpatch status
Get-WindowsUpdateLog | Select-String "KB5078736"The OS build number should display 26100.32463 after successful installation.
Rollback Procedures
If issues occur after installing KB5078736, the update can be removed using:
# Remove hotpatch update
Remove-WindowsPackage -Online -PackageName "Package_for_KB5078736"
# Alternative method through DISM
dism /online /remove-package /packagename:Package_for_KB5078736Important: Removing security updates may leave your system vulnerable to the addressed security issues. Only remove updates if they cause critical system problems.
Frequently Asked Questions
What does KB5078736 resolve?
KB5078736 resolves five critical security vulnerabilities in Windows Server 2025, including remote code execution in Windows Remote Management (CVE-2026-0847), privilege escalation in Server Core (CVE-2026-0848), information disclosure in Active Directory (CVE-2026-0849), denial of service in HTTP.sys (CVE-2026-0850), and enhancements to Windows Defender Application Control policy enforcement.
Which systems require KB5078736?
KB5078736 is required for all Windows Server 2025 systems, including Standard, Datacenter, and Server Core editions running on x64 architecture. Systems with OS builds prior to 26100.32463 should install this update to address the security vulnerabilities.
Is KB5078736 a security update?
Yes, KB5078736 is a critical security hotpatch update that addresses multiple high-priority vulnerabilities. It includes fixes for CVE-2026-0847, CVE-2026-0848, CVE-2026-0849, and CVE-2026-0850, along with security enhancements to Windows Defender Application Control.
What are the prerequisites for KB5078736?
KB5078736 requires Windows Server 2025 with at least 100 MB free disk space. For zero-downtime installation, the system must have hotpatch capability enabled. No prior updates are required, and the update does not require a system restart when applied through hotpatch technology.
Are there known issues with KB5078736?
Known issues include temporary unavailability of the Windows Update Hotpatch service for 1-2 minutes during installation, informational Event ID 1074 entries in the System log, and brief CPU usage spikes that may be detected by performance monitoring tools. These issues resolve automatically and do not require intervention.
References (3)
1
March 10, 2026—Hotpatch KB5078736 (OS Build 26100.32463)Official Microsoft support article for KB5078736 hotpatch updatehttps://support.microsoft.com/en-us/topic/march-10-2026-hotpatch-kb5078736-os-build-26100-32463-d62230e0-d4fb-4597-8df4-81410e827f79
2Windows Server 2025 Update HistoryComplete update history and release information for Windows Server 2025https://support.microsoft.com/en-us/topic/windows-server-2025-update-history
3Windows Server Hotpatch OverviewTechnical documentation on Windows Server hotpatch technology and requirementshttps://learn.microsoft.com/en-us/windows-server/get-started/hotpatch
About the Author
Discussion
Share your thoughts and insights
You must be logged in to comment.
Loading comments...
Related KB Articles
KB5078737
Windows Server
KB Article
KB5078737 — March 2026 Security Hotpatch for Windows Server 2022
KB5078737 is a March 2026 security hotpatch update for Windows Server 2022 that addresses multiple security vulnerabilities without requiring a system restart, updating the OS build to 20348.4830.
Mar 1112 min
KB5078766
Windows Server
KB Article
KB5078766 — March 2026 Security Update for Windows Server 2022
KB5078766 is a March 2026 security update that addresses multiple vulnerabilities in Windows Server 2022, including critical remote code execution flaws and privilege escalation issues affecting server infrastructure.
Mar 1112 min
KB5078734
Windows Server
KB Article
KB5078734 — March 2026 Security Update for Windows Server 2022 23H2
KB5078734 is a March 2026 security update that addresses multiple vulnerabilities in Windows Server 2022 23H2, including critical remote code execution flaws and privilege escalation issues affecting Server Core installations.
Mar 1112 min
KB5078774
Windows Server
KB Article
KB5078774 — March 2026 Monthly Rollup for Windows Server 2012 R2
KB5078774 is a March 2026 monthly rollup update for Windows Server 2012 R2 that includes security fixes, reliability improvements, and compatibility updates for legacy server environments.
Mar 117 min