KB5087545: Windows Server 2022 Security Update (May 2026)
An attacker with code running inside a Hyper-V guest VM can break out and execute code on the host operating system.
An attacker who has any code execution inside a guest VM — a tenant on a multi-tenant host, a compromised developer VM, a sandboxed workload — can send crafted requests to the virtual device layer, exploit the use-after-free, and execute code on the host operating system. Once on the host, the attacker controls every other guest on the same hypervisor and any resources the host can reach.
Hyper-V is the Windows hypervisor — the layer that runs and isolates guest virtual machines on a host. The fundamental security guarantee of Hyper-V is that code inside a guest cannot reach the host. A use-after-free flaw in how Hyper-V emulates virtual devices for a guest breaks that guarantee: the hypervisor frees a memory object while still holding a dangling pointer to it, and a guest can manipulate the timing to redirect that pointer to attacker-controlled data.
Probably yes if any of these apply:
Affected OS versions
A managed-service provider runs customer workloads on shared Hyper-V hosts — different customers, different VMs, same physical box. One customer is compromised through a phishing campaign; the attacker installs the exploit inside the customer's VM, escapes to the host, and now has SYSTEM on a hypervisor that runs dozens of other customers' VMs. This is the highest-severity scenario for any virtualised environment and is precisely why hypervisor escapes are treated as critical regardless of the local attack vector.
Manual download
For air-gapped servers or out-of-band deployment. Microsoft Update Catalog returns every OS-version variant of this update.
↗ Microsoft Update CatalogKB5087545Manual remediation steps
Prerequisites
Estimated time
20–40 minutes per server (download + install + reboot)
Reboot required
Yes — install the cumulative update and reboot the server before the fix is active.
Steps
1. Confirm the server is missing the patch
# If this returns the KB, you are already patched. If it returns nothing, continue.
Get-HotFix -Id KB5087545 -ErrorAction SilentlyContinue
2. Install the update — pick one channel
Windows Update / WSUS (preferred):
# Trigger an immediate scan and install
UsoClient ScanInstallWait
# (or use your standard WSUS / SCCM / Intune deployment for KB5087545)
Manual download (offline or air-gapped servers):
3. Reboot
Restart-Computer -Force
Verification
After the reboot:
# The KB must appear with an InstalledOn date
Get-HotFix -Id KB5087545
# Confirm OS build advanced
[System.Environment]::OSVersion.Version
If Get-HotFix returns nothing for KB5087545, the install did not take — re-run the update from a different channel.
Rollback
# Remove the update (last resort — only if the update breaks a workload)
wusa.exe /uninstall /kb:5087545 /quiet /norestart
# Reboot after uninstall
Cumulative updates can be removed but the server then loses every fix that update delivered, including this one. Prefer rolling forward to a newer cumulative.
Notes
No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.