Require official statement/response from company for CVE crash.

2026-07-02T02:47:04.2966667+00:00

RSAF laptop system restore done based on this morning.

shellhost.exe - system error. system detected an overrun of stack-basedbuffer in this application. this overrun could potentially allow a malicious to gain control of the this application.

if can dissent for KB5089549 under rsaf workstation, encountering issues like this is extremely common with the KB50989549 security update.

Microsoft officially acknowledged that KB5089549 update heavily alters low-level boot files and disk configs. if a cpu runs low on storage within its hidden EFI system partition, the update triggers critical version mismatches, corrupts core interface components like ShellHost.exe or force rolls back the entire process.

Business impact: high as customer don't allow deployment if the official response on the CVE crash don't come to us by tomorrow 10am Singapore time.

Windows for business | Windows Client for IT Pros | Devices and deployment | Install Windows updates, features, or roles
0 comments No comments

1 answer

Sort by: Most helpful
  1. Xuan Nhu 170 Reputation points Independent Advisor
    2026-07-02T05:15:50.6+00:00

    Hello Aloysius, thank you for sharing the business impact and the ShellHost.exe error observed after the RSAF laptop restore. From the currently published Microsoft documentation, Microsoft has officially acknowledged a known issue for KB5089549 where some Windows 11 24H2/25H2 devices may fail to complete installation with error 0x800f0922 when the EFI System Partition has limited free space, especially 10 MB or less; the documented behavior is rollback during restart around 35–36%, with CBS.log entries such as “SpaceCheck: Insufficient free space” and “ServicingBootFiles failed. Error = 0x70.” Microsoft also states that this specific KB5089549 installation issue is addressed in KB5089573.

    However, I could not find an official Microsoft statement confirming that ShellHost.exe “stack-based buffer overrun” is a known issue caused by KB5089549, or that this crash is directly tied to a specific CVE. The official KB5089549 release note confirms security fixes, Secure Boot-related changes, and boot manager servicing improvements, but the published known issue is the EFI/0x800f0922 installation failure, not ShellHost.exe corruption or a confirmed CVE-triggered shell crash.

    For that reason, we should not represent this as a Microsoft-acknowledged “CVE crash” unless Microsoft Support or Windows Release Health provides a formal confirmation. For the affected RSAF workstation, we need to validate the exact OS build, KB installation history, Application event log, Reliability Monitor entry, faulting module details, WER crash dump, C:\Windows\Logs\CBS\CBS.log, and DISM/SFC results to determine whether the ShellHost.exe error is caused by the update, system file corruption, endpoint security software, third-party shell integration, or another local component. If an official company/vendor response is required before 10:00 AM Singapore time, the recommended path is to raise or escalate this immediately through Microsoft Unified/Premier Support with the collected logs, because the public Microsoft documentation currently confirms only the EFI/0x800f0922 KB5089549 installation issue and not a ShellHost.exe CVE-related crash.

    Was this answer helpful?

    0 comments No comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.