Microsoft has fixed CVE-2026-49174, an Important-rated Windows DNS Client vulnerability that allows an authenticated local attacker to tamper with DNS-related behavior. The flaw carries a CVSS 3.1 score of 6.1 and is addressed by the Windows security updates released on July 14, 2026.
Detailed in Microsoft’s Security Update Guide, the vulnerability stems from missing authentication for a critical function in Microsoft Windows DNS. Microsoft says an authorized attacker could exploit the weakness locally to perform tampering, placing it well below the risk posed by an unauthenticated, network-reachable DNS vulnerability—but still making it relevant to multi-user systems, servers, virtual desktop infrastructure, and environments where an attacker may already possess limited access.
The vulnerability was not publicly disclosed before Microsoft issued the fix, and Microsoft had not identified exploitation in the wild at publication time. Zero Day Initiative’s July Patch Tuesday review likewise lists CVE-2026-49174 as neither publicly known nor actively exploited.
CVE-2026-49174 is a local vulnerability, not a conventional remote DNS cache-poisoning flaw that an anonymous attacker can trigger directly from the network. Exploitation requires an attacker who is already authorized to access the affected Windows system, according to Microsoft’s description.
That distinction matters for prioritization. An internet-facing server is not exposed merely because it runs the Windows DNS Client, and an attacker cannot apparently compromise an untouched PC simply by returning a malicious DNS response. The more plausible scenario is a second-stage attack in which someone with a foothold or low-privilege account interferes with DNS handling to influence where the affected machine sends traffic.
DNS tampering can have consequences beyond unreliable name resolution. If an attacker can alter how a system resolves a hostname, applications may be directed toward attacker-controlled infrastructure, internal services may become unreachable, or security controls that depend on accurate domain resolution may receive misleading results. The exact technical path Microsoft patched has not been publicly documented, so administrators should not assume that familiar controls such as a protected
Microsoft maps the vulnerability to CWE-306, Missing Authentication for Critical Function. That classification indicates that Windows failed to require the intended authentication or authorization check before permitting a sensitive DNS-related action. It does not mean that CVE-2026-49174 is remotely exploitable without credentials; Microsoft’s own description explicitly places the attack locally and requires an authorized attacker.
The vulnerable product families include:
For server estates, Windows Server 2022 is fixed at OS build 20348.5386 through KB5099540. Windows Server 2025 is fixed at build 26100.33158. Windows 11 26H1 systems need the applicable July update that advances them beyond the vulnerable 28000-series build identified in Microsoft’s product data.
Administrators should verify the installed cumulative update rather than treating the operating system’s marketing version as proof of protection. Running
Zero Day Initiative called out the cluster as notable: Windows DNS Client appears multiple times in the same release, including flaws attributed to missing authentication and improper access control. Although Microsoft has not established that the bugs share a root cause, their concentration means administrators should treat the cumulative update as the remediation rather than attempting to isolate and mitigate one DNS code path.
The distinction between the DNS Client and the Windows DNS Server role is also important. CVE-2026-49174 affects Windows systems acting as DNS clients, which includes ordinary workstations and servers that resolve names. It is not limited to domain controllers or machines with the DNS Server role installed.
Microsoft separately fixed DNS Server remote-code-execution vulnerabilities CVE-2026-49169 and CVE-2026-50426 in the same Patch Tuesday release. Those entries have different attack conditions and should not be conflated with the local tampering behavior documented for CVE-2026-49174.
That does not justify leaving the DNS Client fix pending for an extended period. Local vulnerabilities are frequently used after an initial compromise, when malware or a human operator needs to weaken system behavior, redirect communications, or establish persistence. Shared Windows hosts and systems granting interactive access to contractors, students, developers, help-desk personnel, or remote application users have a broader pool of accounts from which exploitation could begin.
Endpoint teams should deploy the July cumulative updates through Windows Update, Windows Server Update Services, Microsoft Intune, Configuration Manager, or their normal patch platform. Because the correction ships in cumulative Windows servicing, there is no separate DNS Client package to install and no Microsoft-documented registry workaround that provides equivalent protection.
The generic confidence-language shown alongside some vulnerability records should not be mistaken for evidence that Microsoft is uncertain whether CVE-2026-49174 exists. Microsoft has acknowledged the vulnerability, assigned it a CVE and CWE classification, identified affected builds, and released corrected Windows updates. What remains limited is the public technical detail that would explain exactly which critical DNS function lacked the required authentication check.
For most organizations, installing the July 14, 2026 cumulative update is the practical fix. The outstanding question is whether Microsoft or an independent researcher will later disclose enough technical information to show how DNS behavior can be altered—and whether that knowledge changes the flaw from a routine local patching concern into a useful component of post-compromise attack chains.
Detailed in Microsoft’s Security Update Guide, the vulnerability stems from missing authentication for a critical function in Microsoft Windows DNS. Microsoft says an authorized attacker could exploit the weakness locally to perform tampering, placing it well below the risk posed by an unauthenticated, network-reachable DNS vulnerability—but still making it relevant to multi-user systems, servers, virtual desktop infrastructure, and environments where an attacker may already possess limited access.
The vulnerability was not publicly disclosed before Microsoft issued the fix, and Microsoft had not identified exploitation in the wild at publication time. Zero Day Initiative’s July Patch Tuesday review likewise lists CVE-2026-49174 as neither publicly known nor actively exploited.
The Attack Starts on the Windows Machine
CVE-2026-49174 is a local vulnerability, not a conventional remote DNS cache-poisoning flaw that an anonymous attacker can trigger directly from the network. Exploitation requires an attacker who is already authorized to access the affected Windows system, according to Microsoft’s description.That distinction matters for prioritization. An internet-facing server is not exposed merely because it runs the Windows DNS Client, and an attacker cannot apparently compromise an untouched PC simply by returning a malicious DNS response. The more plausible scenario is a second-stage attack in which someone with a foothold or low-privilege account interferes with DNS handling to influence where the affected machine sends traffic.
DNS tampering can have consequences beyond unreliable name resolution. If an attacker can alter how a system resolves a hostname, applications may be directed toward attacker-controlled infrastructure, internal services may become unreachable, or security controls that depend on accurate domain resolution may receive misleading results. The exact technical path Microsoft patched has not been publicly documented, so administrators should not assume that familiar controls such as a protected
hosts file or a locked-down DNS server configuration necessarily block it.Microsoft maps the vulnerability to CWE-306, Missing Authentication for Critical Function. That classification indicates that Windows failed to require the intended authentication or authorization check before permitting a sensitive DNS-related action. It does not mean that CVE-2026-49174 is remotely exploitable without credentials; Microsoft’s own description explicitly places the attack locally and requires an authorized attacker.
Supported Windows Generations Share the Exposure
Microsoft’s affected-product data spans current Windows 11 releases, supported Windows 10 installations, and three Windows Server generations. Both full desktop installations and Server Core are affected where listed.The vulnerable product families include:
- Windows 10 versions 1809, 21H2, and 22H2 are affected on applicable architectures.
- Windows 11 versions 24H2, 25H2, and 26H1 are affected on x64 and ARM64 systems.
- Windows Server 2019, Windows Server 2022, and Windows Server 2025 are affected.
- Server Core installations of Windows Server 2019 and Windows Server 2025 are also included in Microsoft’s affected-product data.
For server estates, Windows Server 2022 is fixed at OS build 20348.5386 through KB5099540. Windows Server 2025 is fixed at build 26100.33158. Windows 11 26H1 systems need the applicable July update that advances them beyond the vulnerable 28000-series build identified in Microsoft’s product data.
Administrators should verify the installed cumulative update rather than treating the operating system’s marketing version as proof of protection. Running
winver, checking the Windows Update history, querying endpoint-management inventory, or using PowerShell to inspect installed hotfixes can establish whether the July 14 security baseline has reached each machine.Three DNS Client Tampering Fixes Land Together
CVE-2026-49174 is not the only DNS Client tampering vulnerability in the July release. Microsoft also patched CVE-2026-50495, another CVSS 6.1 tampering flaw, and CVE-2026-50465, which carries a higher score of 7.1. Two additional Windows DNS Client vulnerabilities, CVE-2026-49175 and CVE-2026-50487, address elevation of privilege.Zero Day Initiative called out the cluster as notable: Windows DNS Client appears multiple times in the same release, including flaws attributed to missing authentication and improper access control. Although Microsoft has not established that the bugs share a root cause, their concentration means administrators should treat the cumulative update as the remediation rather than attempting to isolate and mitigate one DNS code path.
The distinction between the DNS Client and the Windows DNS Server role is also important. CVE-2026-49174 affects Windows systems acting as DNS clients, which includes ordinary workstations and servers that resolve names. It is not limited to domain controllers or machines with the DNS Server role installed.
Microsoft separately fixed DNS Server remote-code-execution vulnerabilities CVE-2026-49169 and CVE-2026-50426 in the same Patch Tuesday release. Those entries have different attack conditions and should not be conflated with the local tampering behavior documented for CVE-2026-49174.
Patch Priority Depends on Who Can Sign In
The absence of known exploitation and the requirement for local, authorized access make CVE-2026-49174 a lower emergency priority than July’s actively exploited zero-days. BleepingComputer reports that Microsoft’s unusually large July 2026 Patch Tuesday release addresses 570 vulnerabilities, including two flaws already exploited in attacks and one additional publicly disclosed zero-day.That does not justify leaving the DNS Client fix pending for an extended period. Local vulnerabilities are frequently used after an initial compromise, when malware or a human operator needs to weaken system behavior, redirect communications, or establish persistence. Shared Windows hosts and systems granting interactive access to contractors, students, developers, help-desk personnel, or remote application users have a broader pool of accounts from which exploitation could begin.
Endpoint teams should deploy the July cumulative updates through Windows Update, Windows Server Update Services, Microsoft Intune, Configuration Manager, or their normal patch platform. Because the correction ships in cumulative Windows servicing, there is no separate DNS Client package to install and no Microsoft-documented registry workaround that provides equivalent protection.
The generic confidence-language shown alongside some vulnerability records should not be mistaken for evidence that Microsoft is uncertain whether CVE-2026-49174 exists. Microsoft has acknowledged the vulnerability, assigned it a CVE and CWE classification, identified affected builds, and released corrected Windows updates. What remains limited is the public technical detail that would explain exactly which critical DNS function lacked the required authentication check.
For most organizations, installing the July 14, 2026 cumulative update is the practical fix. The outstanding question is whether Microsoft or an independent researcher will later disclose enough technical information to show how DNS behavior can be altered—and whether that knowledge changes the flaw from a routine local patching concern into a useful component of post-compromise attack chains.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com