KB5034766 for Windows 11 21H2 edition

KB5034766 is the cumulative update for Windows 11 version 21H2. It was released under the ‘Patch Tuesday’ project of Microsoft on 13 February 2024.

Salient points

  • KB5034766 is a cumulative update. The update supersedes the KB5034121 cumulative update released in December 2023.
  • KB5034766 corresponds to Windows 11 21H2 build 22000.2777.
  • KB5034121 corresponds to Windows 11 21H2 build 22000.2713.
  • You will transition from build 2713 to 2777 when you upgrade from KB5034121 to KB5034766 on Windows 11 21H2.
  • 40 security vulnerabilities affect Windows 11 21H2 editions for x64 platforms.
  • 40 security vulnerabilities affect Windows 11 21H2 editions for ARM64 platforms.
  • 2 of these security vulnerabilities carry a ‘CRITICAL’ severity for Windows 11 21H2 x64 and ARM64 deployments.
  • Servicing Stack Update 22000.2770 corresponds to KB5034121. It is a part of the cumulative update.
  • Separate installation of the Servicing Stack Update is not needed for KB5034766.

We look at the download links for KB5034766 and the different vulnerabilities below. KB5034766 installer files are available for x64 and ARM64 systems.

It may be pertinent to add that Windows 11 version 21H2 for Home, Pro, Pro Education, and Pro for Workstation have reached the end of service on October 10, 2023.  The monthly security and quality updates will not be available for these Windows 11 21H2 versions.

Download KB5034766

KB5034766 can be applied automatically using the following methods:

  • Windows Update
  • Windows Update for Business
  • WSUS or Windows Server Update Services

WSUS remains the best method or preferred approach to rolling out updates to Windows 11 endpoints.

You can also deploy KB5034766 manually. For manual deployments, you need an offline installer file for KB5034766. The offline installer file is available in the MSU file extension separately for x64 and ARM64 systems.

You can download the offline installer file for x64 or ARM64 platforms. The offline installer file can be downloaded from the Microsoft Update Catalog site. Or, you could also download the offline installer file from the direct download links shared below.

Your Windows 11 21H2 system will reboot after KB5034766 is deployed.

If you have already deployed KB5034121, only the incremental changes of KB5034766 will be installed on the Windows 11 21H2 system. This process of incremental updates is generally very fast and swift.

Vulnerabilities

Windows 11 21H2 x64 edition is affected by 40 security vulnerabilities and ARM64 edition is also affected by 40 security vulnerabilities. We discuss the two CRITICAL threats that impact Windows 11 21H2 for x64 and ARM64 systems.

CRITICAL vulnerabilities

The 2 CRITICAL vulnerabilities affecting Windows 11 21H2 are shared below. These vulnerabilities could lead to ‘Remote Code Execution’ attacks and ‘Denial of Service’ attacks.

CVE detailsCVSSSeverityImpactDescription
CVE-2024-213578.1CRITICALRemote Code ExecutionThis vulnerability affects Windows Pragmatic General Multicast (PGM).

Successful exploitation of this vulnerability requires an attacker to take additional actions prior to exploitation to prepare the target environment. Windows Pragmatic General Multicast (PGM) produces multicast traffic that runs on layer 4 and is routable. Therefore this vulnerability can be exploited over the network.

An attacker could exploit this vulnerability by sending specially crafted malicious traffic directed at a vulnerable server.
CVE-2024-206846.5CRITICALDenial of ServiceThis could lead to Windows Hyper-V Denial of Service Vulnerability.

Successful exploitation of this vulnerability could allow a Hyper-V guest to affect the functionality of the Hyper-V host.

The following zero-day threats affect Windows 11 22H2 and 23H2 editions for x64 and ARM64 deployments.

CVE detailsCVSSSeverityImpactDescription
CVE-2024-213517.6IMPORTANTSecurity Feature BypassWhen you download a file from the internet, Windows adds the zone identifier or Mark of the Web as an NTFS stream to the file. So, when you run the file, Windows SmartScreen checks if there is a zone identifier Alternate Data Stream (ADS) attached to the file. If the ADS indicates ZoneId=3 which means that the file was downloaded from the internet, the SmartScreen does a reputation check. 

An attacker who successfully exploited this vulnerability could bypass the SmartScreen user experience.
CVE-2024-214128.1IMPORTANTSecurity Feature BypassAn unauthenticated attacker could send the targeted user a specially crafted file that is designed to bypass displayed security checks. However, the attacker would have no way to force a user to view the attacker-controlled content. Instead, the attacker would have to convince them to take action by clicking on the file link.

The following changes are part of the KB5034766 cumulative update for Windows 11 21H2 editions:

  • This update addresses an issue that affects remote direct memory access (RDMA) performance counters. They do not return networking data on VMs in the right way.
  • This update addresses an issue that affects fontdrvhost.exe. It stops responding when you use Compact Font Format version 2 (CFF2) fonts.
  • This update addresses a memory leak in ctfmon.exe.
  • This update addresses a memory leak in TextInputHost.exe.
  • This update affects Unified Extensible Firmware Interface (UEFI) Secure Boot systems. It adds a renewed signing certificate to the Secure Boot DB variable. You can now opt for this change. For more details, see KB5036210.
  • This update addresses an issue that affects the download of device metadata. Downloads from the Windows Metadata and Internet Services (WMIS) over HTTPS are now more secure.
  • This update addresses an issue that affects the Local Security Authority Subsystem Service (LSASS). It might stop working. This occurs when you access the Active Directory database.
  • This update addresses an issue that affects Windows Defender Application Control (WDAC). Its “allow” policies might block some binaries from running.
  • This update addresses an issue that affects the Certificate Authority snap-in. You cannot select the “Delta CRL” option. This stops you from using the GUI to publish Delta CRLs.
  • This update changes a setting in Active Directory Users & Computers. By default, the snap-in now uses a strong certificate mapping of X509IssuerSerialNumber. It does not use the weak mapping of x509IssuerSubject.
Rajesh Dhawan

Rajesh Dhawan is a technology professional who loves to write about Cyber-security events and stories, Cloud computing and Microsoft technologies. He loves to break complex problems into manageable chunks of meaningful information.