KB5094123 for Windows Server 2019

KB5094123 is the cumulative update for Windows Server 2019 and Windows Server 2019 Server Core installation. It was released on 9 June, 2026 under the ‘Patch Tuesday’ release cycle.

Salient points

• KB5094123 supersedes May 2026 cumulative update KB5087538.
• KB5094123 corresponds to Windows server build 17763.8880.
• 3 Zero-day vulnerabilities affect Windows Server 2019 and Windows Server 2019 Server Core installation as per June security bulletin.
• 88 security vulnerabilities have been disclosed for June 2026 by Microsoft. 16 of these have CRITICAL severity.
• The Servicing Stack Update corresponding to KB5094123 is KB5094143 (17763.8860). It is in-built in the main cumulative update. Separate installation of the SSU or Servicing Stack is not needed.
• KB5005112 is the SSU that must be already deployed on Windows Server 2019. If you have not deployed this SSU, please download KB5005112 and apply on the server. This is a very old SSU released in August 2021. If you have followed the update release cycle, there is a high chance that you already have this patch on the server. SSU installation does not cause server reboot.

Important Reminders

Apart from this, it is important to note that the Secure Boot certificates used by most Windows devices are set to expire starting in June 2026. Secure Boot is a security feature in Unified Extensible Firmware Interface​​​​​​​ (UEFI) based firmware that helps ensure that only trusted software runs during a device’s boot (start) sequence.

Since Windows introduced Secure Boot support, all Windows-based devices have carried the same set of Microsoft certificates in the KEK and DB. These original certificates are nearing their expiration date, and your device is affected if it has any of the listed certificate versions. To continue running Windows and receiving regular updates for your Secure Boot configuration, you will need to update these certificates.

Download KB5094143

KB5094143 is the Servicing Stack Update for Windows Server 2019 released in June 2026 alongside the main cumulative update KB5094123.

If you intend to deploy cumulative updates through Windows Update or Windows Update for Business, no action is needed to install the Servicing Stack Update. The Servicing Stack Update is part of the security update that will be installed on Windows Server 2019.

For manual installation of KB5094123, there is no separate installation of KB5094143 as it is included in the main cumulative security update.

Download KB5094123

You may download the offline installer file for KB5094123 from the catalog site link shared below:

• Download KB5094123 from the Microsoft Update Catalog (820.6 MB)

Upon installation of KB5094123, the server would restart. The Servicing Stack Update is already included in the main update and will be downloaded and installed as part of the installation process.

Zero-day vulnerabilities

Three zero-day vulnerability has been reported for Windows Server 2019 in June 2026.

1. CVE-2026-45586 – CVSS 7.8 – Windows Collaborative Translation Framework (CTFMON) Elevation of Privilege Vulnerability
2. CVE-2026-49160 – CVSS 7.5 – HTTP.sys Denial of Service Vulnerability 
3. CVE-2026-50507 – CVSS 6.8 – Windows BitLocker Security Feature Bypass Vulnerability

Critical vulnerabilities

The June security bulletin for Windows Server 2019 reports 88 security vulnerabilities. 16 of these vulnerabilities have CRITICAL severity. These vulnerabilities are listed below.

• CVE-2026-44812
• CVE-2026-44803
• CVE-2026-45607
• CVE-2026-42987
• CVE-2026-44799
• CVE-2026-44801
• CVE-2026-42985
• CVE-2026-42992
• CVE-2026-47288
• CVE-2026-44815
• CVE-2026-48574
• CVE-2026-48563
• CVE-2026-47654
• CVE-2026-47291
• CVE-2026-47289
• CVE-2026-33828

Changelog – KB5094123

The following changes or improvements are part of KB5094123 for Windows Server 2019:

• The update addresses security improvements for Windows Server 2019 and Windows Server 2019 Server Core installation.
• [Internal Windows OS] This update contains miscellaneous security improvements to internal Windows OS functionality.
• This update enables dynamic status reporting for Secure Boot states in Windows Security App.
• This update adds a new policy setting, LimitSecureBootRequiredServiceData, under Computer Configuration > Administrative Templates > Windows Components > Secure Boot. When this setting is enabled, Windows limits the Secure Boot service data it sends by suppressing the event normally sent to Microsoft. This policy is also included in the Windows Restricted Traffic Limited Functionality Baseline package. For information about the policy, see Manage connections from Windows 10 and Windows 11 operating system components to Microsoft services.
• With this update, Windows quality updates include additional high confidence device targeting data, increasing coverage of devices eligible to automatically receive new Secure Boot certificates. Devices receive the new certificates only after demonstrating sufficient successful update signals, maintaining a controlled and phased rollout. ​​​​​​​