KB5023705: Windows Server 2022 Security Update (March 2023)
A single crafted HTTP/3 request can give an attacker kernel-level code execution on Windows Server 2022 web services that have HTTP/3 enabled.
An attacker who can reach any HTTP/3-enabled Windows Server endpoint can send a crafted QUIC request that triggers the use-after-free and executes code in the kernel — i.e. higher than SYSTEM. The attack works pre-authentication and requires no user interaction. AD FS servers on Windows Server 2022 are the most commonly cited target because AD FS may have HTTP/3 enabled for performance reasons.
The Windows HTTP Protocol Stack (http.sys) is the kernel-mode driver that handles incoming HTTP requests for IIS, AD FS, WSUS, WinRM, and any other Windows service that uses Windows's built-in HTTP listener. A use-after-free bug in how it handles HTTP/3 (QUIC) operations lets a crafted request reference freed memory and execute code in kernel context. HTTP/3 is not on by default — it requires the EnableHttp3 registry key, plus buffered I/O.
Probably yes if any of these apply:
Affected OS versions
A Windows Server 2022 hosting AD FS has HTTP/3 enabled to improve mobile authentication performance. The AD FS endpoint is internet-facing because that is what AD FS is for. An attacker sends one crafted QUIC packet, the kernel use-after-free triggers, and the attacker has kernel-context code execution on a server that holds the keys to federation for the entire organisation.
Manual download
For air-gapped servers or out-of-band deployment. Microsoft Update Catalog returns every OS-version variant of this update.
↗ Microsoft Update CatalogKB5023705Manual remediation steps
Check whether HTTP/3 is enabled at all
HTTP/3 is off by default. If you have not deliberately enabled it, the vulnerability is not reachable on this server.
Get-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Services\HTTP\Parameters' -Name EnableHttp3 -ErrorAction SilentlyContinue
If EnableHttp3 is missing or set to 0, this CVE does not apply to this host. Patch on the standard cadence regardless.
Prerequisites
Estimated time
20–40 minutes per server (download + install + reboot)
Reboot required
Yes — install the cumulative update and reboot the server before the fix is active.
Steps
1. Confirm the server is missing the patch
Get-HotFix -Id KB5023705 -ErrorAction SilentlyContinue
2. Install the update — pick one channel
Windows Update / WSUS (preferred):
UsoClient ScanInstallWait
# (or use your standard WSUS / SCCM / Intune deployment for KB5023705)
Manual download (offline / air-gapped):
3. Reboot
Restart-Computer -Force
Verification
Get-HotFix -Id KB5023705
[System.Environment]::OSVersion.Version
If Get-HotFix returns nothing for KB5023705, the install did not take — re-run from a different channel.
Rollback
wusa.exe /uninstall /kb:5023705 /quiet /norestart
# Reboot after uninstall
Removing a cumulative update also removes every fix it delivered — prefer rolling forward.
Notes
No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.