IRONSMITHINTEL
CRITICALCVSS9.1
|CVE-2024-38159|Auth: none|Reboot: required|Manual only

KB5041773: Windows Server 2016 Security Update (August 2024)

A crafted network operation against Windows Network Virtualization can give an attacker code execution on the Hyper-V host or related infrastructure.

Published Aug 13, 2024 · Updated May 21, 2026
Why patchRisk explained in plain English
Worst-case scenarioIf unpatched

An attacker who can deliver crafted network traffic to a host running Windows Network Virtualization — typically from a guest VM, but potentially from the underlying physical network depending on configuration — can trigger the use-after-free and execute code. The companion CVE-2024-38160 in the same patch cycle is a heap-based buffer overflow with similar impact.

How the attack works

Windows Network Virtualization is the layer that lets Hyper-V hosts present virtual networks to guest VMs — including overlays like NVGRE / VXLAN and the network isolation between tenant VMs. A use-after-free flaw in the network virtualisation code lets crafted network traffic corrupt memory and execute code in the host's networking stack.

Am I affected?Quick check

Probably yes if any of these apply:

Hyper-V hosts using Network Virtualization
Multi-tenant virtualisation environments

Affected OS versions

Windows Server 2016
Real-world incidentsWhat we've seen

A multi-tenant Hyper-V host runs Network Virtualization to isolate tenant VMs onto separate virtual networks. One tenant is compromised; the attacker sends crafted network traffic that triggers the use-after-free in the virtualisation layer and gains code execution in the host's networking stack. From there they can pivot to other tenants' virtual networks or to the host itself.

How to patch

Manual download

For air-gapped servers or out-of-band deployment. Microsoft Update Catalog returns every OS-version variant of this update.

↗ Microsoft Update CatalogKB5041773

Manual remediation steps

Prerequisites

    1
    Local administrator on the target server
    1
    Maintenance window with reboot capacity
    1
    Current backup or snapshot you can roll back to
    1
    Network path to Windows Update / WSUS / Microsoft Update Catalog

Estimated time

20–40 minutes per server (download + install + reboot)

Reboot required

Yes — install the cumulative update and reboot the server before the fix is active.

Steps

1. Confirm the server is missing the patch

Get-HotFix -Id KB5041773 -ErrorAction SilentlyContinue

2. Install the update — pick one channel

Windows Update / WSUS (preferred):

UsoClient ScanInstallWait

Manual download (offline / air-gapped):

1
Open Microsoft Update Catalog: https://catalog.update.microsoft.com/Search.aspx?q=KB5041773
2
Download the MSU for Windows Server 2016 that matches your architecture (x64).
3
Copy the .msu file to the server and run as Administrator.

3. Reboot

Restart-Computer -Force

Verification

Get-HotFix -Id KB5041773
[System.Environment]::OSVersion.Version

Rollback

wusa.exe /uninstall /kb:5041773 /quiet /norestart

Notes

    1
    This entry covers Windows Server 2016 specifically (KB5041773). Other Windows Server versions have their own KB for CVE-2024-38159.
    1
    Reference advisories: MSRC https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38159 and NVD https://nvd.nist.gov/vuln/detail/CVE-2024-38159.
PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

CVE-2024-38159MSRC AdvisoryNVDKBKB5041773