KB5087537 is the cumulative update for Windows Server 2016 and Windows Server 2016 Server Core installation. It was released on 12 May 2026 under the ‘Patch Tuesday’ release cycle.
Salient points
- KB5087537 supersedes April 2026 cumulative update KB5072198.
- KB5087537 corresponds to build 14393.9140.
- KB5087537 also includes all changes that are part of the out of the band update KB5091572 released on 19 April 2026.
- 46 Security vulnerabilities were disclosed by Microsoft for Windows Server 2016 in May 2026 security bulletin.
- No zero-day vulnerabilites have been reported for Windows Server 2016 in May 2026.
- Four CRITICAL vulnerabilites have been reported for Windows Server 2016 in May 2026.
- The Servicing Stack Update corresponding to KB5087537 is KB5088064. For automated deployments of security updates (Windows Update and Windows Update for Business), the installation is included in the main cumulative update installation process. For manual patching, you will need to download and install the SSU KB5088064 before installing KB5087537.
Important Reminders
- Support for cumulative updates for Windows Server 2016 will end on 12 January 2027.
- Secure booth certificates for Windows Server 2016 will expire in June 2026, Both UEFI Secure Boot DB and KEK need to be updated with the corresponding new 2023 certificate versions.
Servicing Stack Update KB5088064
KB5088064 is the Servicing Stack Update (SSU) for Windows Server 2016. For automated deployments, KB5088064 is automatically offered for installation as part of the installation of the main cumulative update.
For manual installations of KB5087537, you would need to download and install KB5088064 before installing KB5087537.
You can download the SSU KB5088064 from the Microsoft Update Catalog page:
Installing the Servicing Stack Update would not cause the server to reboot or restart. So, you could directly proceed with the installation of the main cumulative update for Windows Server 2016.
Zero-day Security vulnerabilities
No zero-day vulnerabilities have been reported for Windows Server 2016 or Windows Server 2016 Server Core installation in May 2026.
Critical vulnerabilities
The May security bulletin for Windows Server 2016 reports 46 security vulnerabilities. Four of these vulnerabilities have CRITICAL severity.
| Vulnerability | CVSS | Impact | Comments |
|---|---|---|---|
| CVE-2026-32161 | 7.5 | Remote Code Execution | Concurrent execution using shared resource with improper synchronization (‘race condition’) in Windows Native WiFi Miniport Driver allows an unauthorized attacker to execute code over an adjacent network. |
| CVE-2026-35421 | 7.8 | Remote Code Execution | Heap-based buffer overflow in Windows GDI allows an unauthorized attacker to execute code locally. |
| CVE-2026-40403 | 8.8 | Remote Code Execution | Heap-based buffer overflow in Windows Win32K – GRFX allows an authorized attacker to execute code locally. |
| CVE-2026-41089 | 9.8 | Remote Code Execution | Stack-based buffer overflow in Windows Netlogon allows an unauthorized attacker to execute code over a network. |
Download KB5087537
You may download the offline installer file for KB5087537 from the catalog site link shared below:
Upon installation of KB5087537, the server would restart.
Changelog – KB5087537
The following changes or improvements are part of KB5087537 for Windows Server 2016:
- [Internal Windows OS] This update contains miscellaneous security improvements to internal Windows OS functionality. No specific issues are documented for this release.
- [Remote Desktop security warnings (known issue)] Fixed: The Remote Desktop Connection security warning dialog might render incorrectly in multi-monitor configurations with different display scaling settings. This issue might occur after installing the Windows security update released on or after April 14, 2026 (such as KB5082198).
- [Sign-In] Fixed: After you install the Windows update released on or after March 10, 2026, some users might experience an issue signing in to apps with a Microsoft account. Even when the device has a working Internet connection, a “no Internet” error appears during sign in and prevents access to Microsoft services and apps such as Microsoft Teams.
- [Daylight Savings Time (DST)] Update for Arab Republic of Egypt to support the government DST change order in 2023.
- [Secure Boot] With this update, Windows quality updates include additional high confidence device targeting data, increasing coverage of devices eligible to automatically receive new Secure Boot certificates. Devices receive the new certificates only after demonstrating sufficient successful update signals, maintaining a controlled and phased rollout.
Simplifying technology, one step at a time.