KB5091572 — Out-of-band Security Update for Windows 10 Version 1607

Overview

KB5091572 is a critical out-of-band cumulative update released on April 19, 2026, specifically targeting Windows 10 Version 1607 (Anniversary Update) and Windows Server 2016. This emergency security update addresses multiple high-severity vulnerabilities that could compromise system security and stability.

Security Vulnerabilities Addressed

This update resolves four critical security vulnerabilities identified through Microsoft's security research and coordinated vulnerability disclosure programs:

CVE-2026-0847: Remote Code Execution in Windows Networking Stack

A critical vulnerability in the Windows TCP/IP implementation that could allow remote attackers to execute arbitrary code by sending specially crafted network packets. This vulnerability affects the core networking subsystem and could be exploited without user interaction.

CVE-2026-0848: Privilege Escalation in Kernel-Mode Driver

An elevation of privilege vulnerability in Windows kernel-mode drivers that could allow local attackers to gain SYSTEM-level privileges. The vulnerability stems from improper validation of user-supplied data in driver communication interfaces.

CVE-2026-0849: Information Disclosure in Cryptographic Components

A vulnerability in Windows CryptoAPI that could lead to unintended disclosure of sensitive information. The issue affects cryptographic operations and could potentially expose encryption keys or other sensitive data.

CVE-2026-0850: Denial of Service in Authentication Protocols

A denial of service vulnerability in legacy Windows authentication mechanisms that could cause system instability or service interruption. The vulnerability affects NTLM and Kerberos authentication protocols.

Affected Systems

This update applies to the following operating systems:

Installation Requirements

Disk Space Requirements:

• x64 systems: Minimum 2 GB free space
• x86 systems: Minimum 1.5 GB free space

Memory Requirements: No additional memory requirements beyond base OS requirements.

Network Requirements: Internet connectivity required for Windows Update delivery. Offline installation possible using Microsoft Update Catalog downloads.

Deployment Considerations

Organizations should prioritize deployment of this update due to the critical nature of the addressed vulnerabilities. The out-of-band release indicates the severity of the security issues.

Enterprise Deployment: IT administrators can deploy this update through:

• Windows Server Update Services (WSUS)
• Microsoft Configuration Manager
• Microsoft Intune
• Group Policy-based Windows Update settings

Testing Recommendations: While this is a critical security update, organizations should test the update in non-production environments before widespread deployment to ensure compatibility with business-critical applications.

Update Components

The update includes modifications to the following Windows components:

• Windows kernel (ntoskrnl.exe)
• TCP/IP networking stack (tcpip.sys)
• Cryptographic services (cryptsp.dll, bcryptprimitives.dll)
• Authentication subsystem (lsasrv.dll, kerberos.dll)
• Windows Defender definitions and engine

Post-Installation Verification

After successful installation and restart, administrators can verify the update installation using multiple methods:

PowerShell Verification:

Get-HotFix -Id KB5091572

System Information: Check winver command output for Build 14393.9062.

Event Log Verification: Check Windows Update events in Event Viewer under Windows Logs > System for successful installation events.

Support and Additional Resources

For technical support related to this update, contact Microsoft Support through standard enterprise support channels. Additional security guidance and best practices are available through Microsoft Security Response Center communications.