Microsoft has patched CVE-2026-48564, a critical remote code execution vulnerability in the Windows DHCP Server service that could let a low-privileged attacker run code across a network. The flaw carries a CVSS 3.1 score of 8.8 and affects supported Windows Server releases from Windows Server 2012 through Windows Server 2025.
Detailed in Microsoft’s July 14, 2026 Security Update Guide, the vulnerability is a heap-based buffer overflow identified as CWE-122. Administrators running the DHCP Server role should treat the July security update as a priority, even though Microsoft says exploitation is less likely and has reported neither public disclosure nor active attacks.
The National Vulnerability Database received the record directly from Microsoft on July 14 and lists the CVE as undergoing enrichment. That means the vulnerability’s existence, affected software, and severity are vendor-confirmed, while deeper technical information remains limited.
CVE-2026-48564 has the CVSS vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. In practical terms, an attacker can reach the vulnerable component over a network, exploitation is considered low complexity, and no user interaction is required.
The important constraint is PR:L: the attacker needs low-level privileges. This requirement is why CVE-2026-48564 scores 8.8 rather than the 9.8 assigned to an otherwise similar unauthenticated network attack.
That distinction matters when triaging exposure, but it does not make the vulnerability benign. A compromised account, malicious insider, breached management host, or attacker who has already established limited access could potentially use the DHCP flaw to move from an initial foothold to code execution on a server performing a fundamental network service.
Microsoft assigns high impact to confidentiality, integrity, and availability. Successful exploitation could therefore expose data accessible to the service, permit unauthorized changes, and disrupt DHCP operations in addition to executing attacker-controlled code.
DHCP servers are especially sensitive infrastructure because endpoints depend on them to obtain IP addresses, default gateways, DNS settings, and other network configuration. A compromised DHCP host could become a useful staging point for lateral movement or network disruption, even where the service itself is not directly reachable from the public internet.
Whether that corruption can be turned into reliable code execution depends on the vulnerable code path, attacker control over the overwritten data, memory protections, and the stability of the target process. Microsoft has not publicly documented the packet structure, DHCP operation, or server configuration required to trigger CVE-2026-48564.
No public proof-of-concept was identified at publication time. The Zero Day Initiative’s July 2026 update review likewise records the vulnerability as not publicly disclosed and not known to be exploited.
That limited disclosure creates a relatively strong confidence assessment with an incomplete technical picture. Microsoft is both the vendor and the CVE numbering authority for the record, has classified the underlying weakness, supplied affected-version data, and released corrected builds. The existence of the flaw is therefore confirmed rather than inferred from third-party research.
What remains unknown is how narrow the privilege requirement is in practice. The public CVSS vector establishes that authorization is necessary, but it does not explain which identity, DHCP permission, protocol state, or administrative relationship provides the required access.
Microsoft’s “Exploitation Less Likely” rating is an engineering assessment, not a guarantee that working exploit code will never appear. Memory-corruption vulnerabilities can become more attractive after security researchers compare patched and unpatched binaries, a process known as patch diffing.
Server Core does not avoid the issue. Windows Server 2012, 2012 R2, 2016, 2019, and 2025 Core installations appear in Microsoft’s affected record, either explicitly or through their shared servicing versions.
The unusually broad version range also makes unsupported and extended-support systems a concern. Windows Server 2012 and Windows Server 2012 R2 require the appropriate Extended Security Updates arrangements to continue receiving security fixes. Discovering an old DHCP server is only useful if the organization also has a valid servicing path for it.
Two related DHCP Server remote code execution vulnerabilities, CVE-2026-50518 and CVE-2026-56159, received CVSS scores of 9.8 because they do not carry the same low-privilege prerequisite. CVE-2026-50370 is another critical DHCP Server service vulnerability rated 8.8, while additional July fixes address DHCP client privilege escalation and server denial of service.
That cluster changes the operational calculation. Administrators should not isolate CVE-2026-48564 and conclude that its privilege requirement justifies delaying the entire update. The same July servicing release closes DHCP flaws with different attack conditions, including unauthenticated remote code execution paths that Microsoft or security researchers consider more urgent.
For environments with strict change-control windows, the first deployment wave should cover active DHCP servers, failover partners, and systems capable of assuming the DHCP role. Test plans should verify lease issuance, reservation handling, scope options, authorization in Active Directory, failover replication, and any IP address management integration after installation and restart.
Network controls remain useful but are not substitutes for servicing. DHCP traffic should be limited to expected network segments and relay paths, administrative access should follow least privilege, and server management interfaces should not be reachable from untrusted networks. Monitoring teams should also investigate unexpected DHCP service crashes or anomalous traffic directed at DHCP servers, although Microsoft has not published vulnerability-specific detection guidance.
The practical target is straightforward: identify every Windows host running the DHCP Server role and confirm that it meets or exceeds Microsoft’s corrected July 2026 build. CVE-2026-48564 is vendor-confirmed and patched; the unresolved part is how quickly attackers can turn the limited public details into a dependable exploit.
Detailed in Microsoft’s July 14, 2026 Security Update Guide, the vulnerability is a heap-based buffer overflow identified as CWE-122. Administrators running the DHCP Server role should treat the July security update as a priority, even though Microsoft says exploitation is less likely and has reported neither public disclosure nor active attacks.
The National Vulnerability Database received the record directly from Microsoft on July 14 and lists the CVE as undergoing enrichment. That means the vulnerability’s existence, affected software, and severity are vendor-confirmed, while deeper technical information remains limited.
Authentication Lowers the Score, Not the Potential Impact
CVE-2026-48564 has the CVSS vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. In practical terms, an attacker can reach the vulnerable component over a network, exploitation is considered low complexity, and no user interaction is required.The important constraint is PR:L: the attacker needs low-level privileges. This requirement is why CVE-2026-48564 scores 8.8 rather than the 9.8 assigned to an otherwise similar unauthenticated network attack.
That distinction matters when triaging exposure, but it does not make the vulnerability benign. A compromised account, malicious insider, breached management host, or attacker who has already established limited access could potentially use the DHCP flaw to move from an initial foothold to code execution on a server performing a fundamental network service.
Microsoft assigns high impact to confidentiality, integrity, and availability. Successful exploitation could therefore expose data accessible to the service, permit unauthorized changes, and disrupt DHCP operations in addition to executing attacker-controlled code.
DHCP servers are especially sensitive infrastructure because endpoints depend on them to obtain IP addresses, default gateways, DNS settings, and other network configuration. A compromised DHCP host could become a useful staging point for lateral movement or network disruption, even where the service itself is not directly reachable from the public internet.
The Confirmed Fault Is a Heap-Based Buffer Overflow
Microsoft describes CVE-2026-48564 as a heap-based buffer overflow in Windows DHCP Server. This class of memory-safety error occurs when software writes more data into a heap allocation than the allocated region can hold, potentially corrupting nearby memory.Whether that corruption can be turned into reliable code execution depends on the vulnerable code path, attacker control over the overwritten data, memory protections, and the stability of the target process. Microsoft has not publicly documented the packet structure, DHCP operation, or server configuration required to trigger CVE-2026-48564.
No public proof-of-concept was identified at publication time. The Zero Day Initiative’s July 2026 update review likewise records the vulnerability as not publicly disclosed and not known to be exploited.
That limited disclosure creates a relatively strong confidence assessment with an incomplete technical picture. Microsoft is both the vendor and the CVE numbering authority for the record, has classified the underlying weakness, supplied affected-version data, and released corrected builds. The existence of the flaw is therefore confirmed rather than inferred from third-party research.
What remains unknown is how narrow the privilege requirement is in practice. The public CVSS vector establishes that authorization is necessary, but it does not explain which identity, DHCP permission, protocol state, or administrative relationship provides the required access.
Microsoft’s “Exploitation Less Likely” rating is an engineering assessment, not a guarantee that working exploit code will never appear. Memory-corruption vulnerabilities can become more attractive after security researchers compare patched and unpatched binaries, a process known as patch diffing.
Windows Server 2012 Through Server 2025 Need Attention
The affected-product record spans multiple server generations and includes both Desktop Experience and Server Core installations where Microsoft lists them separately. Corrected build thresholds include:- Windows Server 2012 must be updated to build 6.2.9200.26132 or later.
- Windows Server 2012 R2 must be updated to build 6.3.9600.23228 or later.
- Windows Server 2016 must be updated to build 10.0.14393.9339 or later.
- Windows Server 2019 must be updated to build 10.0.17763.9020 or later.
- Windows Server 2022 must be updated to build 10.0.20348.5386 or later.
- Windows Server 2025 must be updated to build 10.0.26100.33158 or later.
Server Core does not avoid the issue. Windows Server 2012, 2012 R2, 2016, 2019, and 2025 Core installations appear in Microsoft’s affected record, either explicitly or through their shared servicing versions.
The unusually broad version range also makes unsupported and extended-support systems a concern. Windows Server 2012 and Windows Server 2012 R2 require the appropriate Extended Security Updates arrangements to continue receiving security fixes. Discovering an old DHCP server is only useful if the organization also has a valid servicing path for it.
DHCP Has More Than One July Patch Priority
CVE-2026-48564 is not the only DHCP vulnerability addressed in Microsoft’s July 2026 release. Tenable counted nine DHCP Server and Windows DHCP Client CVEs in the update, including five rated critical.Two related DHCP Server remote code execution vulnerabilities, CVE-2026-50518 and CVE-2026-56159, received CVSS scores of 9.8 because they do not carry the same low-privilege prerequisite. CVE-2026-50370 is another critical DHCP Server service vulnerability rated 8.8, while additional July fixes address DHCP client privilege escalation and server denial of service.
That cluster changes the operational calculation. Administrators should not isolate CVE-2026-48564 and conclude that its privilege requirement justifies delaying the entire update. The same July servicing release closes DHCP flaws with different attack conditions, including unauthenticated remote code execution paths that Microsoft or security researchers consider more urgent.
For environments with strict change-control windows, the first deployment wave should cover active DHCP servers, failover partners, and systems capable of assuming the DHCP role. Test plans should verify lease issuance, reservation handling, scope options, authorization in Active Directory, failover replication, and any IP address management integration after installation and restart.
Network controls remain useful but are not substitutes for servicing. DHCP traffic should be limited to expected network segments and relay paths, administrative access should follow least privilege, and server management interfaces should not be reachable from untrusted networks. Monitoring teams should also investigate unexpected DHCP service crashes or anomalous traffic directed at DHCP servers, although Microsoft has not published vulnerability-specific detection guidance.
The practical target is straightforward: identify every Windows host running the DHCP Server role and confirm that it meets or exceeds Microsoft’s corrected July 2026 build. CVE-2026-48564 is vendor-confirmed and patched; the unresolved part is how quickly attackers can turn the limited public details into a dependable exploit.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com
- Related coverage: tomshardware.com
Windows Server vulnerability can grant system privileges with just a malformed packet — domain controllers are being exploited in the wild | Tom's Hardware
System administrators, run the May 12 patch immediately if you haven't already.www.tomshardware.com