Microsoft has patched CVE-2026-54128, a Critical use-after-free vulnerability in the Windows DHCP Client that can lead to arbitrary code execution without attacker privileges or user interaction. The flaw affects Windows 10, Windows 11, and Windows Server releases stretching from Server 2012 through Server 2025, making the July 14, 2026 security updates a priority across both endpoint and server fleets.
Detailed in Microsoft’s Security Update Guide and published as part of July 2026 Patch Tuesday, CVE-2026-54128 carries a CVSS 3.1 base score of 8.4. Microsoft classifies exploitation as more likely, although the company had not identified public disclosure, active attacks, or publicly available proof-of-concept code when the update was released.
There is, however, an important wrinkle in the available data. Microsoft calls the issue a “Windows DHCP Client Remote Code Execution Vulnerability,” while the CVE description says an unauthorized attacker can execute code locally, and the published CVSS vector specifies a local attack vector. Administrators should treat the confirmed memory-corruption bug seriously without assuming that the current record proves a conventional network-delivered DHCP attack.
CVE-2026-54128 is categorized as CWE-416, or use after free. This class of vulnerability occurs when software continues to access an area of memory after it has been released, potentially allowing memory corruption and attacker-controlled code execution.
The affected component is the Windows DHCP Client, which obtains IP addresses and other network settings for Windows systems. Its presence across ordinary workstations, laptops, virtual machines, and servers gives the vulnerability a considerably wider footprint than a flaw limited to the optional Windows DHCP Server role.
Microsoft’s CVSS vector is
The
Action1’s July Patch Tuesday analysis likewise notes that the available information confirms local code execution but does not describe the exact exploitation sequence. That uncertainty should prevent defenders from inventing a packet-level scenario that Microsoft has not documented, but it does not reduce the potential impact once the flaw is successfully triggered.
That discrepancy may reflect Microsoft’s vulnerability naming conventions, an undisclosed chain involving DHCP processing, or incomplete public details at launch. It could also be corrected in a later revision. As of July 15, 2026, the defensible reading is that code execution is confirmed, but direct remote reachability is not established by the published vector.
This matters for prioritization. CVE-2026-54128 should not be presented as a proven unauthenticated Internet worm risk, and it should not be conflated with the separate DHCP Server vulnerabilities included in the same Patch Tuesday release. Those server-side flaws have their own attack requirements, CVSS vectors, and affected configurations.
At the same time, a local vector does not mean harmless. Attackers frequently combine local code-execution or privilege-related vulnerabilities with initial-access techniques, malicious installers, compromised accounts, browser exploits, or exposed remote-management systems. A no-privilege, no-interaction memory-corruption path can become useful in a larger attack chain even when it cannot independently cross the network perimeter.
Microsoft’s “exploitation more likely” assessment raises the deployment priority beyond what the absence of known attacks might otherwise suggest. The National Vulnerability Database recorded no exploitation in CISA’s initial SSVC data, while assigning the flaw a total technical impact if exploitation succeeds. In practical terms, defenders have a confirmed vulnerability with severe consequences, but not evidence of an active campaign.
Affected releases include:
Microsoft’s CVE data identifies the fixed build thresholds directly. Windows 10 21H2 and 22H2 systems must reach builds 19044.7548 and 19045.7548, while Windows Server 2019 must reach build 17763.9020. Windows Server 2025 is affected below build 26100.33158.
Administrators should rely on the exact product and build information reported by Windows Update, Microsoft Configuration Manager, Windows Server Update Services, or their endpoint-management platform rather than attempting to locate a separate DHCP Client package. The correction ships through cumulative Windows servicing, so installing the applicable July update also deploys the fix for other vulnerabilities addressed that month.
The appropriate response is therefore to deploy the July 14 cumulative security updates using the organization’s normal staged process. Administrators can begin with representative hardware and virtual-machine rings, validate networking and line-of-business applications, and then move quickly into broader deployment because Microsoft rates exploitation as more likely.
Security teams should also avoid limiting remediation to systems acting as DHCP servers. This CVE resides in the DHCP Client, so ordinary Windows endpoints and servers that obtain or process network configuration are part of the patching scope. The presence of separate DHCP Server CVEs in the July release makes careful vulnerability-to-asset mapping especially important.
After deployment, inventory data should be checked against the fixed builds rather than relying solely on a successful update status. Offline laptops, dormant virtual machines, disaster-recovery images, pooled desktops, and server templates can all reintroduce vulnerable builds after the initial rollout appears complete.
CVE-2026-54128 currently presents defenders with an unusual combination: Critical impact, a ubiquitous networking component, and an exploitation path that Microsoft has not publicly explained. Until the advisory is revised or researchers disclose additional technical details, the safest operational conclusion is straightforward—install the July 2026 Windows security updates, verify the resulting builds, and do not mistake the advisory’s RCE title for proof of unrestricted network exploitation.
Detailed in Microsoft’s Security Update Guide and published as part of July 2026 Patch Tuesday, CVE-2026-54128 carries a CVSS 3.1 base score of 8.4. Microsoft classifies exploitation as more likely, although the company had not identified public disclosure, active attacks, or publicly available proof-of-concept code when the update was released.
There is, however, an important wrinkle in the available data. Microsoft calls the issue a “Windows DHCP Client Remote Code Execution Vulnerability,” while the CVE description says an unauthorized attacker can execute code locally, and the published CVSS vector specifies a local attack vector. Administrators should treat the confirmed memory-corruption bug seriously without assuming that the current record proves a conventional network-delivered DHCP attack.
A Use-After-Free Reaches a Core Windows Service
CVE-2026-54128 is categorized as CWE-416, or use after free. This class of vulnerability occurs when software continues to access an area of memory after it has been released, potentially allowing memory corruption and attacker-controlled code execution.The affected component is the Windows DHCP Client, which obtains IP addresses and other network settings for Windows systems. Its presence across ordinary workstations, laptops, virtual machines, and servers gives the vulnerability a considerably wider footprint than a flaw limited to the optional Windows DHCP Server role.
Microsoft’s CVSS vector is
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. That translates to low attack complexity, no privileges required, no user interaction, an unchanged security scope, and potentially high impact to confidentiality, integrity, and availability.The
AV:L value is central to understanding the risk. It indicates that the documented exploitation path is local rather than directly reachable across an arbitrary network. Microsoft’s public description does not yet explain how an unauthorized attacker reaches the vulnerable DHCP Client code, whether some preparatory condition is required, or why the advisory title uses the remote-code-execution classification.Action1’s July Patch Tuesday analysis likewise notes that the available information confirms local code execution but does not describe the exact exploitation sequence. That uncertainty should prevent defenders from inventing a packet-level scenario that Microsoft has not documented, but it does not reduce the potential impact once the flaw is successfully triggered.
The Advisory Name and CVSS Vector Do Not Tell the Same Story
Remote code execution usually implies that an attacker can reach vulnerable software through a network, file, document, or other externally supplied input. In this case, the title suggests RCE, but both Microsoft’s CVE description and its CVSS calculation describe local execution.That discrepancy may reflect Microsoft’s vulnerability naming conventions, an undisclosed chain involving DHCP processing, or incomplete public details at launch. It could also be corrected in a later revision. As of July 15, 2026, the defensible reading is that code execution is confirmed, but direct remote reachability is not established by the published vector.
This matters for prioritization. CVE-2026-54128 should not be presented as a proven unauthenticated Internet worm risk, and it should not be conflated with the separate DHCP Server vulnerabilities included in the same Patch Tuesday release. Those server-side flaws have their own attack requirements, CVSS vectors, and affected configurations.
At the same time, a local vector does not mean harmless. Attackers frequently combine local code-execution or privilege-related vulnerabilities with initial-access techniques, malicious installers, compromised accounts, browser exploits, or exposed remote-management systems. A no-privilege, no-interaction memory-corruption path can become useful in a larger attack chain even when it cannot independently cross the network perimeter.
Microsoft’s “exploitation more likely” assessment raises the deployment priority beyond what the absence of known attacks might otherwise suggest. The National Vulnerability Database recorded no exploitation in CISA’s initial SSVC data, while assigning the flaw a total technical impact if exploitation succeeds. In practical terms, defenders have a confirmed vulnerability with severe consequences, but not evidence of an active campaign.
Nearly Every Managed Windows Generation Is in Scope
The affected-product list covers supported and extended-support Windows branches, including older server installations that may be patched through specialized servicing arrangements. Server Core is affected where Microsoft lists it separately, confirming that removing the desktop interface does not eliminate exposure.Affected releases include:
- Windows 10 versions 1607, 1809, 21H2, and 22H2 are affected on the architectures listed by Microsoft.
- Windows 11 versions 24H2, 25H2, and 26H1 are affected on x64 and Arm64 systems.
- Windows Server 2012 and Windows Server 2012 R2 are affected, including listed Server Core installations.
- Windows Server 2016 and Windows Server 2019 are affected, including Server Core.
- Windows Server 2022 and Windows Server 2025 are affected, with Server Core also included where applicable.
Microsoft’s CVE data identifies the fixed build thresholds directly. Windows 10 21H2 and 22H2 systems must reach builds 19044.7548 and 19045.7548, while Windows Server 2019 must reach build 17763.9020. Windows Server 2025 is affected below build 26100.33158.
Administrators should rely on the exact product and build information reported by Windows Update, Microsoft Configuration Manager, Windows Server Update Services, or their endpoint-management platform rather than attempting to locate a separate DHCP Client package. The correction ships through cumulative Windows servicing, so installing the applicable July update also deploys the fix for other vulnerabilities addressed that month.
Patch Broadly, Then Verify the Build
Microsoft has not published a workaround or standalone mitigation for CVE-2026-54128. Disabling DHCP and assigning static addresses across a fleet would create substantial operational risk and is not documented by Microsoft as an effective security control for this vulnerability.The appropriate response is therefore to deploy the July 14 cumulative security updates using the organization’s normal staged process. Administrators can begin with representative hardware and virtual-machine rings, validate networking and line-of-business applications, and then move quickly into broader deployment because Microsoft rates exploitation as more likely.
Security teams should also avoid limiting remediation to systems acting as DHCP servers. This CVE resides in the DHCP Client, so ordinary Windows endpoints and servers that obtain or process network configuration are part of the patching scope. The presence of separate DHCP Server CVEs in the July release makes careful vulnerability-to-asset mapping especially important.
After deployment, inventory data should be checked against the fixed builds rather than relying solely on a successful update status. Offline laptops, dormant virtual machines, disaster-recovery images, pooled desktops, and server templates can all reintroduce vulnerable builds after the initial rollout appears complete.
CVE-2026-54128 currently presents defenders with an unusual combination: Critical impact, a ubiquitous networking component, and an exploitation path that Microsoft has not publicly explained. Until the advisory is revised or researchers disclose additional technical details, the safest operational conclusion is straightforward—install the July 2026 Windows security updates, verify the resulting builds, and do not mistake the advisory’s RCE title for proof of unrestricted network exploitation.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com
- Official source: learn.microsoft.com
DHCP client can't get a DHCP-assigned IP address - Windows Server | Microsoft Learn
Discusses an issue where a DHCP client can't get a DHCP-assigned IP address.learn.microsoft.com - Related coverage: tomshardware.com
Windows Server vulnerability can grant system privileges with just a malformed packet — domain controllers are being exploited in the wild | Tom's Hardware
System administrators, run the May 12 patch immediately if you haven't already.www.tomshardware.com