KB5087420 — May 2026 Security Update for Windows 11 Version 23H2

Overview

KB5087420 is a comprehensive security update released on May 12, 2026, for Windows 11 Version 23H2 systems. This update advances the operating system build to 22631.7079 and addresses multiple critical and important security vulnerabilities across core Windows components. The update is available for both x64 and ARM64-based systems and includes significant security enhancements for Windows Kernel, Remote Desktop Services, Microsoft Edge WebView2, Windows Graphics Component, Print Spooler, and Hyper-V subsystems.

Security Vulnerabilities Addressed

This security update resolves six distinct vulnerability categories that could potentially compromise system security, data integrity, or user privacy. The vulnerabilities range from local privilege escalation to remote code execution, affecting various Windows subsystems and components.

Windows Kernel Vulnerabilities (CVE-2026-0187, CVE-2026-0188)

Two elevation of privilege vulnerabilities in the Windows Kernel have been identified and resolved. These vulnerabilities could allow local authenticated attackers to execute arbitrary code with SYSTEM-level privileges, potentially compromising the entire system. The vulnerabilities stem from improper input validation in kernel system calls and insufficient memory boundary checks in kernel object handling.

The fixes include enhanced input validation mechanisms, improved memory boundary checks, strengthened privilege validation for kernel mode transitions, and updated kernel security descriptors. These changes ensure that kernel operations maintain proper security boundaries and prevent unauthorized privilege escalation.

Remote Desktop Services Vulnerability (CVE-2026-0189)

A critical remote code execution vulnerability in Remote Desktop Services has been addressed. This vulnerability could allow unauthenticated attackers to execute arbitrary code on target systems by sending specially crafted RDP connection requests. The vulnerability was particularly concerning as it could be exploited over the network without requiring user interaction.

The resolution includes enhanced protocol validation for RDP connection requests, improved buffer overflow protection in RDP message processing, strengthened authentication mechanisms, and updated RDP session management to prevent memory corruption. These improvements significantly enhance the security posture of systems with RDP enabled.

Microsoft Edge WebView2 Vulnerabilities (CVE-2026-0190, CVE-2026-0191)

Multiple memory corruption vulnerabilities in Microsoft Edge WebView2 have been patched. These vulnerabilities could lead to remote code execution when processing malicious web content, affecting applications that embed WebView2 components. The vulnerabilities were related to improper memory allocation validation and insufficient JavaScript engine security boundaries.

The updates include enhanced memory allocation validation in the WebView2 rendering engine, improved JavaScript engine security boundaries, strengthened DOM object lifecycle management, and an updated V8 JavaScript engine aligned with the latest security baseline.

Windows Graphics Component Vulnerability (CVE-2026-0192)

An information disclosure vulnerability in Windows Graphics Component has been resolved. This vulnerability could allow attackers to read sensitive memory contents from graphics buffers, potentially exposing confidential information. The issue was related to improper memory initialization and insufficient access control for graphics device interfaces.

The fix includes enhanced memory initialization for graphics buffers, improved access control for graphics device interfaces, strengthened validation of graphics API parameters, and updated DirectX runtime security checks.

Windows Print Spooler Vulnerability (CVE-2026-0193)

A privilege escalation vulnerability in Windows Print Spooler service has been addressed. This vulnerability could allow local authenticated attackers to gain elevated privileges through manipulation of print job parameters or spooler file operations. The vulnerability affects systems with Print Spooler service enabled.

Security improvements include enhanced validation of print job parameters, improved access control for spooler file operations, strengthened printer driver installation security, and updated spooler service privilege boundaries.

Windows Hyper-V Vulnerability (CVE-2026-0194)

A security feature bypass vulnerability in Windows Hyper-V has been patched. This vulnerability could allow guest virtual machines to escape isolation boundaries and potentially compromise the host system. The issue was related to insufficient hypervisor memory isolation and improper virtual machine exit handling.

The resolution includes enhanced hypervisor memory isolation mechanisms, improved virtual machine exit handling, strengthened HVCI enforcement, and updated virtual device security validation.

Installation and Deployment

The update is distributed through standard Windows Update channels and is compatible with existing enterprise deployment infrastructure. The installation process typically requires 15-30 minutes and mandates a system restart to complete the security enhancements.

For enterprise environments, the update integrates seamlessly with Windows Server Update Services (WSUS), System Center Configuration Manager (SCCM), and Microsoft Intune. IT administrators can leverage existing patch management policies and deployment schedules to ensure consistent security posture across managed devices.

The update packages are optimized for different architectures, with the x64 version approximately 485 MB and the ARM64 version approximately 445 MB. These sizes reflect the comprehensive nature of the security improvements and the inclusion of updated system components.

Performance and Compatibility Considerations

While the security updates are designed to maintain system performance, some temporary impacts may be observed, particularly on ARM64-based systems. These impacts are typically resolved within 24 hours as system optimization processes complete automatically.

The update maintains compatibility with existing applications and hardware configurations. However, enhanced security validation may result in slightly longer startup times for certain services, particularly Hyper-V virtual machines, which may experience 5-10 seconds additional startup time due to improved security checks.

Third-party security software may require brief adjustment periods as vendors update their compatibility databases and threat definitions to accommodate the security enhancements included in this update.