Hello Aloysius, thank you for sharing the business impact and the ShellHost.exe error observed after the RSAF laptop restore. From the currently published Microsoft documentation, Microsoft has officially acknowledged a known issue for KB5089549 where some Windows 11 24H2/25H2 devices may fail to complete installation with error 0x800f0922 when the EFI System Partition has limited free space, especially 10 MB or less; the documented behavior is rollback during restart around 35–36%, with CBS.log entries such as “SpaceCheck: Insufficient free space” and “ServicingBootFiles failed. Error = 0x70.” Microsoft also states that this specific KB5089549 installation issue is addressed in KB5089573.
However, I could not find an official Microsoft statement confirming that ShellHost.exe “stack-based buffer overrun” is a known issue caused by KB5089549, or that this crash is directly tied to a specific CVE. The official KB5089549 release note confirms security fixes, Secure Boot-related changes, and boot manager servicing improvements, but the published known issue is the EFI/0x800f0922 installation failure, not ShellHost.exe corruption or a confirmed CVE-triggered shell crash.
For that reason, we should not represent this as a Microsoft-acknowledged “CVE crash” unless Microsoft Support or Windows Release Health provides a formal confirmation. For the affected RSAF workstation, we need to validate the exact OS build, KB installation history, Application event log, Reliability Monitor entry, faulting module details, WER crash dump, C:\Windows\Logs\CBS\CBS.log, and DISM/SFC results to determine whether the ShellHost.exe error is caused by the update, system file corruption, endpoint security software, third-party shell integration, or another local component. If an official company/vendor response is required before 10:00 AM Singapore time, the recommended path is to raise or escalate this immediately through Microsoft Unified/Premier Support with the collected logs, because the public Microsoft documentation currently confirms only the EFI/0x800f0922 KB5089549 installation issue and not a ShellHost.exe CVE-related crash.