Full Report
Microsoft has confirmed that the May 2026 Windows 11 security update (KB5089549) fails to install on some systems and triggers 0x800f0922 errors. [...]
Analysis Summary
# Vulnerability: Windows 11 May 2026 Security Update Installation Failure (KB5089549)
## CVE Details
*Note: This report specifically addresses a functional failure of a security patch rather than a named vulnerability in the software itself.*
- **CVE ID**: N/A (Patch Installation Issue)
- **CVSS Score**: N/A
- **CWE**: CWE-1304 (Improperly Managed Hardware Resources - Storage Space)
## Affected Systems
- **Products**: Microsoft Windows 11
- **Versions**: Windows 11 25H2, Windows 11 24H2, and Windows Server 2025.
- **Configurations**: Systems with limited free space on the **EFI System Partition (ESP)**, specifically those with **10 MB or less** of available space.
## Vulnerability Description
Windows 11 security update KB5089549 fails to install because the EFI System Partition (ESP) lacks sufficient storage to accommodate the update files during the boot phase. The ESP is a critical partition used by the Unified Extensible Firmware Interface (UEFI) to start the operating system. When the storage check fails (often due to third-party or OEM files occupying the partition), the update triggers a **0x800f0922 error** and initiates an automatic rollback during the reboot cycle at approximately 35–36% completion.
## Exploitation
- **Status**: Not exploited (This is a serviceability issue preventing the application of security patches).
- **Complexity**: N/A
- **Attack Vector**: Local (System Update Process)
## Impact
- **Confidentiality**: None (Directly) / High (Indirectly, as it prevents patching of other CVEs).
- **Integrity**: None.
- **Availability**: Medium (Causes boot-time rollbacks and potential "undoing changes" loops, though the OS remains functional after the rollback).
## Remediation
### Patches
- Microsoft is currently working on a formal resolution. KB5089549 remains the current security baseline, but its installation is blocked for affected users.
### Workarounds
- **Known Issue Rollback (KIR):** Consumers and non-managed devices can utilize the automated KIR feature, which reverses the specific change causing the conflict.
- **Group Policy Mitigation:** Enterprise admins should install the specific KIR MSI relevant to their OS version to disable the problematic update component.
- **Download:** hxxps[://]download[.]microsoft[.]com/download/4ed10a70-0e17-4215-87c4-5eabbfe99c03/Windows%2011%2024H2%2c%20Windows%2011%2025H2%20and%20Windows%20Server%202025%20KB5089549%20260514_06221%20Known%20Issue%20Rollback.msi
- **ESP Cleanup:** Manually identifying and removing non-essential third-party or OEM files from the EFI partition to ensure more than 10 MB of free space.
## Detection
- **Error Codes**: Windows Update error `0x800f0922`.
- **System Logs**: Look for the following entries in update logs:
- `SpaceCheck: Insufficient free space`
- `ServicingBootFiles failed. Error = 0x70`
- `SpaceCheck: used by third-party/OEM files outside of Microsoft boot directories`
- **Symptoms**: System displays "Something didn't go as planned. Undoing changes" during the second stage of the update reboot.
## References
- **Microsoft Release Health Advisory**: hxxps[://]learn[.]microsoft[.]com/en-us/windows/release-health/status-windows-11-25h2#4854msgdesc
- **Microsoft KIR Documentation**: hxxps[://]techcommunity[.]microsoft[.]com/blog/windows-itpro-blog/known-issue-rollback-helping-you-keep-windows-devices-protected-and-productive/2176831
- **BleepingComputer Article**: hxxps[://]www[.]bleepingcomputer[.]com/news/microsoft/microsoft-confirms-kb5089549-windows-11-security-update-install-issues/