KB5073722: Windows Server 2016 Security Update (July 2025)
A memory corruption in the SQLite library Windows ships with can be triggered by any application that lets an attacker influence SQL queries.
An attacker who can shape SQL queries that run against the Windows-provided SQLite library can corrupt the process's heap and, with careful crafting, gain code execution in that process. The privilege obtained depends on the application: queries inside Microsoft Edge run as the user, queries inside a Windows service may run as SYSTEM. The realistic attack surface is any first- or third-party application that exposes SQL parsing to user input via winsqlite3.dll.
Windows ships its own copy of SQLite as winsqlite3.dll, used by Windows components and third-party applications that want an embedded database without bundling their own copy. A memory corruption bug — present in SQLite versions prior to 3.50.2 — is triggered when a query contains more aggregate terms (SUM, COUNT, AVG and friends) than the available columns. Any application that lets an attacker influence the structure of a SQL query against winsqlite3 may be made to corrupt memory and, with effort, execute code.
Probably yes if any of these apply:
Affected OS versions
A line-of-business application embeds SQLite via winsqlite3 and accepts user-supplied filters that it concatenates into SQL. An attacker submits a filter containing enough aggregate terms to trip the bug; the application process crashes, then crashes deterministically, then crashes in a way the attacker controls. The same class of bug — memory corruption in an embedded database — has been used to break out of browser renderers and into operating systems for years; the Windows attack surface is whatever applications expose winsqlite3 to attacker-influenced SQL.
Manual download
For air-gapped servers or out-of-band deployment. Microsoft Update Catalog returns every OS-version variant of this update.
↗ Microsoft Update CatalogKB5073722Manual remediation steps
Prerequisites
Estimated time
20–40 minutes per server (download + install + reboot)
Reboot required
Yes — install the cumulative update and reboot the server before the fix is active.
Steps
1. Confirm the server is missing the patch
# If this returns the KB, you are already patched. If it returns nothing, continue.
Get-HotFix -Id KB5073722 -ErrorAction SilentlyContinue
2. Install the update — pick one channel
Windows Update / WSUS (preferred):
# Trigger an immediate scan and install
UsoClient ScanInstallWait
# (or use your standard WSUS / SCCM / Intune deployment for KB5073722)
Manual download (offline or air-gapped servers):
3. Reboot
Restart-Computer -Force
Verification
After the reboot:
# The KB must appear with an InstalledOn date
Get-HotFix -Id KB5073722
# Confirm OS build advanced
[System.Environment]::OSVersion.Version
If Get-HotFix returns nothing for KB5073722, the install did not take — re-run the update from a different channel.
Rollback
# Remove the update (last resort — only if the update breaks a workload)
wusa.exe /uninstall /kb:5073722 /quiet /norestart
# Reboot after uninstall
Cumulative updates can be removed but the server then loses every fix that update delivered, including this one. Prefer rolling forward to a newer cumulative.
Notes
No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.