CVE-2026-49181 exposes the Windows DHCP Client to a network-based elevation-of-privilege attack, allowing an unauthenticated attacker to target affected systems without user interaction. Microsoft fixed the flaw in its July 14, 2026 security updates, and administrators running vulnerable Windows Server or long-term servicing Windows 10 releases should treat deployment as a priority.
Detailed in Microsoft’s Security Update Guide and recorded by the National Vulnerability Database, CVE-2026-49181 carries a CVSS 3.1 base score of 7.5, placing it in the High range. Microsoft classifies the vulnerability as Important and describes the underlying weakness as an integer underflow in the Windows DHCP Client.
The affected list is narrower than the component name might suggest. Microsoft identifies Windows Server 2012 through Windows Server 2025, plus Windows 10 versions 1607 and 1809; current Windows 11 releases are not listed in the initial CVE record.
CVE-2026-49181 is categorized as CWE-191, an integer underflow or wraparound. This class of bug occurs when an arithmetic operation produces a value below the range that the software expects, causing it to wrap into a much larger value or otherwise corrupt subsequent calculations.
Microsoft has not published enough technical detail to show precisely which DHCP field, message sequence, or client operation triggers the flaw. The company’s description nevertheless confirms that the vulnerable component processes attacker-controlled network data in a way that can lead to privilege elevation.
The CVSS vector is particularly important: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. In practical terms, Microsoft says the attack is reachable over a network, has low complexity, requires no existing privileges and does not depend on a user clicking, opening or approving anything.
That combination deserves attention even though the score stops at 7.5. DHCP is foundational network plumbing, and client functionality is present on systems that administrators may not instinctively classify as exposed services. The relevant question is not simply whether a machine is reachable from the public internet, but whether an attacker can place malicious traffic where the affected DHCP client will process it.
Microsoft’s CVSS impact calculation marks confidentiality as High while leaving integrity and availability at None. That is an unusual-looking profile for a vulnerability titled as elevation of privilege, and the public advisory does not explain the apparent distinction. Administrators should therefore avoid inventing a more specific post-exploitation outcome until Microsoft or a researcher publishes a technical analysis.
That product range makes CVE-2026-49181 primarily an enterprise patch-management problem. Server 2012 and Server 2012 R2 are beyond normal support and require the appropriate Extended Security Update entitlement, while Windows 10 version 1607 and version 1809 generally remain in specialized servicing channels rather than mainstream consumer deployments.
The presence of DHCP Server on a machine is not the deciding factor. The vulnerable component is the Windows DHCP Client, so administrators should inventory affected operating-system builds rather than limiting remediation to servers assigned the DHCP Server role.
Static addressing may reduce how often a system participates in ordinary DHCP exchanges, but Microsoft has not documented it as a mitigation or workaround. Disabling DHCP-related functionality without understanding dependencies can also disrupt address management, failover behavior, network identification and operational tooling. Installing the supported security update is the reliable correction.
It does not mean attacks have been confirmed in the wild.
As of the July 14 publication, the public records did not identify CVE-2026-49181 as exploited or publicly disclosed. CISA’s initial Stakeholder-Specific Vulnerability Categorization data recorded no observed exploitation, while rating exploitation as automatable and the technical impact as partial.
Those findings create a familiar patching balance. There is no public indication of an active emergency, but the attack prerequisites are favorable: no credentials, no user interaction, low complexity and network access. The absence of a public proof of concept on release day should not be interpreted as durable protection, particularly after update packages give researchers and attackers an opportunity to compare patched and unpatched binaries.
Network controls still matter. DHCP snooping, switch-port protections, segmentation and controls against rogue DHCP infrastructure can constrain several classes of local-network attack. They should be viewed as layers that may reduce exposure, not as substitutes for Microsoft’s fix, because the company has not stated that any one network control fully blocks CVE-2026-49181.
Administrators can confirm remediation by checking that systems have reached or exceeded Microsoft’s fixed build number for their release. Relying only on an update console’s “installed” status is weaker than validating the resulting OS build, especially on older servers with servicing-stack, entitlement or installation-history complications.
Security teams should also monitor for Microsoft revisions. The advisory was published on July 14, 2026, and no modified date was available at publication time; exploitability assessments, affected-product tables and acknowledgements can change after initial release.
CVE-2026-49181 is not currently documented as an exploited zero-day, but its network-accessible, unauthenticated path leaves little justification for carrying vulnerable builds through another monthly cycle. The concrete cutoff is now available: systems below the listed July 2026 builds remain exposed, and systems that successfully install and verify the corresponding update receive Microsoft’s fix.
Detailed in Microsoft’s Security Update Guide and recorded by the National Vulnerability Database, CVE-2026-49181 carries a CVSS 3.1 base score of 7.5, placing it in the High range. Microsoft classifies the vulnerability as Important and describes the underlying weakness as an integer underflow in the Windows DHCP Client.
The affected list is narrower than the component name might suggest. Microsoft identifies Windows Server 2012 through Windows Server 2025, plus Windows 10 versions 1607 and 1809; current Windows 11 releases are not listed in the initial CVE record.
A DHCP Client Bug With Network Reach
CVE-2026-49181 is categorized as CWE-191, an integer underflow or wraparound. This class of bug occurs when an arithmetic operation produces a value below the range that the software expects, causing it to wrap into a much larger value or otherwise corrupt subsequent calculations.Microsoft has not published enough technical detail to show precisely which DHCP field, message sequence, or client operation triggers the flaw. The company’s description nevertheless confirms that the vulnerable component processes attacker-controlled network data in a way that can lead to privilege elevation.
The CVSS vector is particularly important: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. In practical terms, Microsoft says the attack is reachable over a network, has low complexity, requires no existing privileges and does not depend on a user clicking, opening or approving anything.
That combination deserves attention even though the score stops at 7.5. DHCP is foundational network plumbing, and client functionality is present on systems that administrators may not instinctively classify as exposed services. The relevant question is not simply whether a machine is reachable from the public internet, but whether an attacker can place malicious traffic where the affected DHCP client will process it.
Microsoft’s CVSS impact calculation marks confidentiality as High while leaving integrity and availability at None. That is an unusual-looking profile for a vulnerability titled as elevation of privilege, and the public advisory does not explain the apparent distinction. Administrators should therefore avoid inventing a more specific post-exploitation outcome until Microsoft or a researcher publishes a technical analysis.
Server Fleets Carry Most of the Exposure
Microsoft’s initial affected-product data covers a long span of Windows Server releases, including Server Core installations where explicitly listed. The fixed-build thresholds recorded in the CVE data are:- Windows Server 2012 is affected before build 6.2.9200.26226.
- Windows Server 2012 R2 is affected before build 6.3.9600.23291.
- Windows Server 2016 and Windows 10 version 1607 are affected before build 14393.9339.
- Windows Server 2019 and Windows 10 version 1809 are affected before build 17763.9020.
- Windows Server 2022 is affected before build 20348.5386.
- Windows Server 2025 is affected before build 26100.33158.
That product range makes CVE-2026-49181 primarily an enterprise patch-management problem. Server 2012 and Server 2012 R2 are beyond normal support and require the appropriate Extended Security Update entitlement, while Windows 10 version 1607 and version 1809 generally remain in specialized servicing channels rather than mainstream consumer deployments.
The presence of DHCP Server on a machine is not the deciding factor. The vulnerable component is the Windows DHCP Client, so administrators should inventory affected operating-system builds rather than limiting remediation to servers assigned the DHCP Server role.
Static addressing may reduce how often a system participates in ordinary DHCP exchanges, but Microsoft has not documented it as a mitigation or workaround. Disabling DHCP-related functionality without understanding dependencies can also disrupt address management, failover behavior, network identification and operational tooling. Installing the supported security update is the reliable correction.
“Confirmed” Does Not Mean Exploited
The supplied advisory text highlights the CVSS report confidence metric, which Microsoft marks as Confirmed. That designation concerns confidence in the technical finding: the vendor has acknowledged the bug, and sufficient evidence exists to establish that the vulnerability is real.It does not mean attacks have been confirmed in the wild.
As of the July 14 publication, the public records did not identify CVE-2026-49181 as exploited or publicly disclosed. CISA’s initial Stakeholder-Specific Vulnerability Categorization data recorded no observed exploitation, while rating exploitation as automatable and the technical impact as partial.
Those findings create a familiar patching balance. There is no public indication of an active emergency, but the attack prerequisites are favorable: no credentials, no user interaction, low complexity and network access. The absence of a public proof of concept on release day should not be interpreted as durable protection, particularly after update packages give researchers and attackers an opportunity to compare patched and unpatched binaries.
Network controls still matter. DHCP snooping, switch-port protections, segmentation and controls against rogue DHCP infrastructure can constrain several classes of local-network attack. They should be viewed as layers that may reduce exposure, not as substitutes for Microsoft’s fix, because the company has not stated that any one network control fully blocks CVE-2026-49181.
Patch the Build, Then Verify the Network
For managed environments, the immediate task is to approve the July 2026 cumulative or security-only update applicable to each affected branch. Deployment rings should include representative domain controllers, application servers, Server Core systems and machines using unusual static-address or failover configurations, followed by verification that DHCP-dependent networking continues to operate normally.Administrators can confirm remediation by checking that systems have reached or exceeded Microsoft’s fixed build number for their release. Relying only on an update console’s “installed” status is weaker than validating the resulting OS build, especially on older servers with servicing-stack, entitlement or installation-history complications.
Security teams should also monitor for Microsoft revisions. The advisory was published on July 14, 2026, and no modified date was available at publication time; exploitability assessments, affected-product tables and acknowledgements can change after initial release.
CVE-2026-49181 is not currently documented as an exploited zero-day, but its network-accessible, unauthenticated path leaves little justification for carrying vulnerable builds through another monthly cycle. The concrete cutoff is now available: systems below the listed July 2026 builds remain exposed, and systems that successfully install and verify the corresponding update receive Microsoft’s fix.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com