KB5094122 for Windows Server 2016 – June 2026

KB5094122 is the cumulative update for Windows Server 2016 and Windows Server 2016 Server Core installation. It was released on 9 June 2026 under the ‘Patch Tuesday’ release cycle.

Salient points

• KB5094122 supersedes May 2026 cumulative update KB5087537.
• KB5094122 corresponds to build 14393.9234.
• 75 Security vulnerabilities were disclosed by Microsoft for Windows Server 2016 in June 2026 security bulletin.
• 3 zero-day vulnerabilites have been reported for Windows Server 2016 in June 2026.
• 15 CRITICAL vulnerabilites have been reported for Windows Server 2016 in June 2026.
• The Servicing Stack Update corresponding to KB5094122 is KB5094141. For automated deployments of security updates (Windows Update and Windows Update for Business), the installation is included in the main cumulative update installation process. For manual patching, you will need to download and install the SSU KB5094141 before installing KB5094122.

Important Reminders

• Support for cumulative updates for Windows Server 2016 will end on 12 January 2027.
• Secure booth certificates for Windows Server 2016 will expire in June 2026, Both UEFI Secure Boot DB and KEK need to be updated with the corresponding new 2023 certificate versions.

Servicing Stack Update KB5088064

KB5094141 is the Servicing Stack Update (SSU) for Windows Server 2016. For automated deployments, KB5094141 is automatically offered for installation as part of the installation of the main cumulative update.

For manual installations of KB5094122, you would need to download and install KB5094141 before installing KB5094122.

You can download the SSU KB5094141 from the Microsoft Update Catalog page:

• Download KB5094141 from the Microsoft Update Catalog site (12.2 MB)

Installing the Servicing Stack Update would not cause the server to reboot or restart. So, you could directly proceed with the installation of the main cumulative update for Windows Server 2016.

Zero-day Security vulnerabilities

Three zero-day vulnerabilities have been reported for Windows Server 2016 or Windows Server 2016 Server Core installation in May 2026.

1. CVE-2026-45586 – CVSS 7.8 – Windows Collaborative Translation Framework (CTFMON) Elevation of Privilege Vulnerability
2. CVE-2026-49160 – CVSS 7.5 – HTTP.sys Denial of Service Vulnerability 
3. CVE-2026-50507 – CVSS 6.8 – Windows BitLocker Security Feature Bypass Vulnerability

Critical vulnerabilities

The June security bulletin for Windows Server 2016 reports 75 security vulnerabilities. 15 of these vulnerabilities have CRITICAL severity. These vulnerabilities are listed below.

• CVE-2026-44812
• CVE-2026-44815
• CVE-2026-44803
• CVE-2026-48574
• CVE-2026-42987
• CVE-2026-42985
• CVE-2026-42992
• CVE-2026-47288
• CVE-2026-44801
• CVE-2026-44799
• CVE-2026-47654
• CVE-2026-47291
• CVE-2026-47289
• CVE-2026-45607
• CVE-2026-33828

Download KB5094122

You may download the offline installer file for KB5094122 from the catalog site link shared below:

• Download KB5094122 from the Microsoft Update Catalog (1744.4 MB)

Upon installation of KB5094122, the server would restart.

Changelog – KB5094122

The following changes or improvements are part of KB5094122 for Windows Server 2016:

• [Internal Windows OS] This update contains miscellaneous security improvements to internal Windows OS functionality. No specific issues are documented for this release.
• [Secure Boot]
• [Domain controller (known issue)] Fixed: Addressed an issue that affects DFS (Distributed File System) Namespaces on servers with hostnames that are exactly 15 characters long. ​​​​​​​