KB5026370: Windows Server 2022 Security Update (May 2023)
A crafted NFSv4.1 call can give an attacker SYSTEM-level code execution on any Windows Server running the NFS role.
An attacker on the network who can reach the NFS server's ports (typically TCP/UDP 2049 plus the portmapper and lockd helpers) can send a crafted NFSv4.1 call that triggers the bug and runs code as SYSTEM on the file server. From SYSTEM the attacker has full control of the file shares — read, write, delete, ransomware-encrypt, and from the same foothold, pivot to clients that mount the shares.
The Windows Network File System (NFS) Server role lets Windows servers share files with Linux, Unix, and ESXi clients using the NFS protocol. When the server is processing incoming NFSv4.1 calls containing utf8strings and is low on memory, an input-validation flaw lets crafted call data corrupt memory and execute code in the NFS service context.
Probably yes if any of these apply:
Affected OS versions
A mixed Windows/Linux datacentre exports a fileshare via NFS to a fleet of ESXi hosts that store VM disks on it. An attacker on the storage VLAN sends a crafted NFSv4.1 call to the Windows NFS server, lands SYSTEM, and is now positioned to modify or encrypt every virtual disk file the cluster uses. NFS attack surface is often forgotten by Windows administrators because it is "Linux territory" — which is precisely why it remains under-patched.
Manual download
For air-gapped servers or out-of-band deployment. Microsoft Update Catalog returns every OS-version variant of this update.
↗ Microsoft Update CatalogKB5026370Manual remediation steps
Temporary mitigation
If the patch cannot be applied immediately, Microsoft recommends temporarily downgrading the server to NFSv2 or NFSv3 — the bug is in the NFSv4.1 utf8string parser specifically.
# Check current NFS Server version configuration
Get-NfsServerConfiguration | Select-Object EnableNFSV2, EnableNFSV3, EnableNFSV4
# Disable NFSv4 (forces clients to v3)
Set-NfsServerConfiguration -EnableNFSV4 $false
This is a temporary measure — apply the cumulative update as the durable fix.
Prerequisites
Estimated time
20–40 minutes per server (download + install + reboot)
Reboot required
Yes — install the cumulative update and reboot the server before the fix is active.
Steps
1. Confirm the server is missing the patch
Get-HotFix -Id KB5026370 -ErrorAction SilentlyContinue
2. Install the update — pick one channel
Windows Update / WSUS (preferred):
UsoClient ScanInstallWait
# (or use your standard WSUS / SCCM / Intune deployment for KB5026370)
Manual download (offline / air-gapped):
3. Reboot
Restart-Computer -Force
Verification
Get-HotFix -Id KB5026370
[System.Environment]::OSVersion.Version
Rollback
wusa.exe /uninstall /kb:5026370 /quiet /norestart
# Reboot after uninstall
Removing a cumulative update also removes every fix it delivered — prefer rolling forward.
Notes
No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.