KB5075999 is the cumulative update for Windows Server 2016 and Windows Server 2016 Server Core installation. It was released on 10 Febuary 2026 under the ‘Patch Tuesday’ release cycle.
Salient points
- KB5075999 supersedes January 2026 cumulative update KB5073722.
- KB5075999 corresponds to build 14393.8868.
- 21 Security vulnerabilities were disclosed by Microsoft for Windows Server 2016 in February 2026 security bulletin.
- 5 zero-day vulnerabilites have been reported for Windows Server 2016 in February 2026. These need to be resolved on a priority basis by installing the latest cumulative security update.
- No CRITICAL vulnerability has been reported for Windows Server 2016 in January 2026.
- The Servicing Stack Update corresponding to KB5075999 is KB5075902. For automated deployments of security updates (Windows Update and Windows Update for Business), the installation is included in the main cumulative update installation process. For manual patching, you will need to download and install the SSU KB5075902 before installing KB5075999.
Important Reminders
- Support for cumulative updates for Windows Server 2016 will end on 12 January 2027.
- Secure booth certificates for Windows Server 2016 will expire in June 2026, Both UEFI Secure Boot DB and KEK need to be updated with the corresponding new 2023 certificate versions.
Servicing Stack Update KB5075902
KB5075902 is the Servicing Stack Update (SSU) for Windows Server 2016. For automated deployments of KB5075999, KB5075902 is automatically offered for installation as part of the installation of the main cumulative update.
For manual installations of KB5075999, you would need to download and install KB5075902 before installing KB5075999.
You can download the SSU KB5075902 from the Microsoft Update Catalog page:
Installing the Servicing Stack Update would not cause the server to reboot or restart. So, you could directly proceed with the installation of the main cumulative update for Windows Server 2016.
Zero-day Security vulnerabilities
Five zero-day vulnerabilities have been reported for Windows Server 2016 or Windows Server 2016 Server Core installation in Febuary 2026.
| CVE Details | CVSS Score | Comments |
|---|---|---|
| CVE-2026-21510 | 8.8 | Security Feature Bypass Vulnerability in Windows Shell |
| CVE-2026-21513 | 8.8 | Security Feature Bypass Vulnerability in MSHTML Framework |
| CVE-2026-21519 | 7.8 | Elevation of Privilege Vulnerability in Desktop Window Manager |
| CVE-2026-21525 | 6.2 | Denial of Service Vulnerability in Windows Remote Access Connection Manager |
| CVE-2026-21533 | 7.8 | Elevation of Privilege Vulnerability in Windows Remote Desktop Services |
Critical vulnerabilities
The February security bulletin for Windows Server 2016 reports 21 security vulnerabilities. None of these vulnerabilities has a CRITICAL security severity.
Download KB5075999
You may download the offline installer file for KB5075999 from the catalog site link shared below:
Upon installation of KB5075999, the server would restart.
Changelog – KB5075999
The following changes or improvements are part of KB5075999 for Windows Server 2016:
- [Internal Windows OS] This update contains miscellaneous security improvements to internal Windows OS functionality. No specific issues are documented for this release.
- [Graphics] Fixed: A stability issue affecting certain graphics processing units (GPUs) configurations.
Due to the zero-day vulnerabilities, it is important to install this security update on Windows Server 2016 at the earliest.
Simplifying technology, one step at a time.