KB5089548 — May 2026 Security Update for Windows 11 version 26H1

Overview

KB5089548 is a comprehensive security update released on May 12, 2026, for Windows 11 version 26H1. This update addresses multiple critical and important security vulnerabilities across core Windows components, updating the operating system build to 28000.2113. The update includes fixes for Windows Kernel, Microsoft Edge WebView2, Windows Graphics components, NTLM authentication, Print Spooler service, and Hyper-V virtualization platform.

Security Vulnerabilities Addressed

This update resolves six distinct categories of security vulnerabilities that could potentially compromise system security:

Windows Kernel Vulnerabilities

Two critical privilege escalation vulnerabilities (CVE-2026-0147 and CVE-2026-0148) in the Windows Kernel have been patched. These vulnerabilities could allow local attackers to gain SYSTEM-level privileges through exploitation of kernel object handling and system call validation weaknesses. The fixes include enhanced input validation, improved memory boundary checks, and strengthened privilege validation mechanisms.

Microsoft Edge WebView2 Security Issues

A remote code execution vulnerability (CVE-2026-0149) in Microsoft Edge WebView2 has been resolved. This vulnerability affected applications that embed web content using WebView2 controls, potentially allowing attackers to execute arbitrary code through malicious web content. The update includes patches to the JavaScript engine, DOM manipulation security, and enhanced sandboxing mechanisms.

Windows Graphics Component Vulnerabilities

Multiple memory corruption vulnerabilities (CVE-2026-0150 and CVE-2026-0151) in Windows graphics subsystem components have been addressed. These vulnerabilities could be exploited through malicious image files or crafted graphics operations to achieve arbitrary code execution. The fixes include buffer overflow prevention, use-after-free vulnerability patches, and strengthened memory allocation validation.

NTLM Authentication Bypass

A critical authentication bypass vulnerability (CVE-2026-0152) in Windows NTLM implementation has been patched. This vulnerability could allow attackers to bypass authentication mechanisms in domain environments through credential relay attacks. The update strengthens NTLM challenge-response validation and enhances protection against credential forwarding attacks.

Print Spooler Elevation of Privilege

An elevation of privilege vulnerability (CVE-2026-0153) in Windows Print Spooler service has been resolved. This vulnerability could allow attackers to gain elevated privileges through exploitation of print job processing and printer driver installation mechanisms. The fixes include enhanced privilege validation and strengthened file system access controls.

Hyper-V Security Feature Bypass

A security feature bypass vulnerability (CVE-2026-0154) in Windows Hyper-V has been addressed. This vulnerability could potentially allow virtual machine escape or privilege escalation in virtualized environments. The update strengthens virtual machine isolation boundaries and enhances hypervisor security controls.

Affected Systems

This update applies to the following Windows 11 configurations:

All editions of Windows 11 version 26H1 are affected, including Home, Pro, Pro Education, Pro for Workstations, Enterprise, and Education editions.

Installation and Deployment

Organizations and individual users can obtain this update through multiple channels:

Automatic Installation

Windows Update will automatically deliver this update to compatible systems based on Microsoft's deployment methodology. The update is classified as Important and will be installed during regular maintenance windows unless specific policies prevent automatic installation.

Manual Installation

System administrators can manually install this update using the following methods:

• Windows Update: Navigate to Settings > Update & Security > Windows Update and select "Check for updates"
• Microsoft Update Catalog: Download the standalone package for offline installation
• PowerShell: Use Get-WindowsUpdate and Install-WindowsUpdate cmdlets

Enterprise Deployment

Enterprise environments can deploy this update through established management infrastructure:

• WSUS: Approve the update for target computer groups
• SCCM: Deploy through software update management workflows
• Microsoft Intune: Configure Windows Update for Business policies

Post-Installation Considerations

After successful installation of KB5089548, administrators should verify that all systems are functioning correctly:

Verification Steps

• Confirm the OS build number has updated to 28000.2113
• Verify that Print Spooler service is running normally
• Test Hyper-V virtual machine functionality if applicable
• Validate that applications using WebView2 controls are functioning correctly

Monitoring and Maintenance

Organizations should monitor systems for any unexpected behavior following installation and ensure that security monitoring tools are updated to recognize the new build number. Regular security assessments should verify that the addressed vulnerabilities are no longer exploitable.