Full Report
Microsoft has released out-of-band (OOB) updates to fix issues affecting Windows Server systems after installing the April 2026 security updates. [...]
Analysis Summary
# Vulnerability: Windows Server April 2026 LSASS Crash and Installation Failures
## CVE Details
*Note: This article describes functional regressions and stability issues resulting from security patches rather than a specific new CVE assigned to the flaw itself. The stability issues were triggered by the April 2026 Monthly Updates.*
- **CVE ID:** N/A (Functional Regression)
- **CVSS Score:** N/A
- **CWE:** CWE-404 (Improper Shutdown or Release of Resources - leading to LSASS crash)
## Affected Systems
- **Products:** Windows Server
- **Versions:**
- Windows Server 2025
- Windows Server, version 23H2
- Windows Server 2022 (including Azure Edition Hotpatch)
- Windows Server 2019
- Windows Server 2016
- **Configurations:**
- Systems configured with the **Domain Controller** role.
- Windows Server 2025 systems attempting to install KB5082063.
- Systems processing authentication requests very early during the startup phase.
## Vulnerability Description
Following the installation of the April 2026 security updates, two primary issues were identified:
1. **LSASS Crash:** The Local Security Authority Subsystem Service (LSASS) terminates unexpectedly, causing Domain Controllers to enter an infinite restart loop. This occurs primarily during authentication processing or early startup.
2. **Installation Failure:** On Windows Server 2025, the initial security update (KB5082063) may fail to install entirely.
3. **BitLocker Recovery:** Some Windows Server 2025 devices may be forced into BitLocker recovery mode, requiring a manual recovery key entry after the update.
## Exploitation
- **Status:** Not exploited (This is a vendor-induced stability regression).
- **Complexity:** N/A
- **Attack Vector:** N/A
## Impact
- **Confidentiality:** None
- **Integrity:** None
- **Availability:** **High** (Servers become unavailable due to reboot loops; Domain Controllers fail to provide authentication services).
## Remediation
### Patches
Microsoft has released the following Out-of-Band (OOB) updates to resolve these issues:
- **Windows Server 2025:** KB5091157 (OS Build 26100.32698) - *Fixes both LSASS and Installation issues.*
- **Windows Server 23H2:** KB5091571 (OS Build 25398.2276)
- **Windows Server 2022:** KB5091575 (OS Build 20348.5024)
- **Windows Server 2019:** KB5091573 (OS Build 17763.8647)
- **Windows Server 2016:** KB5091572 (OS Build 14393.9062)
- **Windows Server Azure Edition:** Hotpatch KB5091470 (2025) and KB5091576 (2022).
### Workarounds
- For systems in a reboot loop, booting into Safe Mode to uninstall the April 2026 cumulative update may restore stability until the OOB patch can be applied.
- Ensure BitLocker recovery keys are accessible before rebooting Windows Server 2025 machines following updates.
## Detection
- **Indicators of Compromise:** High frequency of Event ID 1014 (LSASS.exe crash) in System Logs.
- **Detection Methods:** Monitor for "unexpected shutdown" events and LSASS service failures on Domain Controllers. Verify if KB5082063 is failing with specific error codes in the Windows Update history.
## References
- Microsoft Message Center: [https[:]//learn.microsoft.com/en-us/windows/release-health/windows-message-center#4835]
- BleepingComputer Report: [https[:]//www.bleepingcomputer.com/news/microsoft/microsoft-releases-emergency-updates-to-fix-windows-server-issues/]
- Windows Server 2025 Installation Issues: [https[:]//www.bleepingcomputer.com/news/microsoft/microsoft-april-windows-server-2025-update-may-fail-to-install/]