CVE-2026-49175 exposes supported Windows desktops and servers to local privilege escalation through a heap-based buffer overflow in the Windows DNS Client. Microsoft fixed the vulnerability in its July 14, 2026 security updates, rating it Important with a CVSS 3.1 score of 7.8.
Detailed in Microsoft’s Security Update Guide, the flaw allows an authorized attacker with local access to elevate privileges. It affects Windows 10, Windows 11, Windows Server 2022, and Windows Server 2025, making the monthly cumulative update the practical remedy for both endpoints and servers.
Microsoft’s initial advisory does not describe active exploitation or a publicly available proof of concept. That lowers the immediate emergency compared with July’s exploited zero-days, but the combination of memory corruption and privilege escalation still makes CVE-2026-49175 a meaningful post-compromise risk.
The affected component is the Windows DNS Client, not the DNS Server role. Administrators should therefore avoid treating this as a vulnerability limited to domain controllers or machines hosting Microsoft DNS. Ordinary workstations, member servers, virtual desktops, and Server Core installations can all fall within the affected product range.
Microsoft describes the underlying weakness as a heap-based buffer overflow, categorized as CWE-122. This class of bug occurs when software writes beyond the allocated boundary of a memory region on the heap, potentially corrupting adjacent data and altering program behavior.
In this case, Microsoft says exploitation requires an authorized attacker and occurs locally. CVE-2026-49175 is consequently not presented as an unauthenticated, network-borne DNS attack capable of compromising any reachable Windows computer from the internet. An attacker must first obtain some level of access to the target system and then exploit the DNS Client flaw to gain higher privileges.
That distinction shapes the risk without making the flaw harmless. Local elevation-of-privilege vulnerabilities are routinely useful in attack chains: phishing, credential theft, a malicious installer, or exploitation of another service may provide the initial foothold, while a flaw such as CVE-2026-49175 can help the intruder escape the restrictions of a standard account.
A successful privilege escalation can potentially give an attacker the authority needed to disable protections, access other users’ data, extract credentials, establish persistence, or deploy tooling that would otherwise be blocked. Microsoft has not published enough technical detail to say exactly which privilege level is attainable or which Windows DNS Client operation triggers the overflow, so claims beyond the documented local elevation should be treated cautiously.
The same caution applies to Windows 10 Version 22H2. By July 2026, many remaining Windows 10 systems will depend on Microsoft’s Extended Security Updates arrangements or specialized servicing editions. A device appearing in an affected-product table does not by itself guarantee that an unmanaged consumer installation will receive the fix automatically.
For administrators, installed build verification matters more than the marketing version alone. Windows 11 24H2 and Windows Server 2025 share the 26100 code base but have different servicing build numbers and update packages. Inventory and compliance tools should compare each device against the correct product-specific threshold rather than using a single build rule across the fleet.
The score should not be read as evidence that exploitation is easy, reliable, or already occurring. CVSS measures technical characteristics and potential consequences; it does not provide a live threat-intelligence verdict. The vulnerability-maturity language accompanying records such as this one is intended to distinguish confirmed vendor findings from rumors, incomplete research, public proof-of-concept code, and observed attacks.
Here, the vulnerability’s existence and general root cause are confirmed through Microsoft’s disclosure. The public record identifies the affected component, the heap overflow, the local privilege-escalation impact, and the vulnerable product ranges. It does not yet provide the vulnerable function, trigger conditions, exploit reliability, or indicators of compromise.
That leaves defenders with reasonably high confidence that the bug is real and patched, but limited information for building behavior-based detections. There is no public basis at publication time for a DNS-specific firewall rule, registry workaround, or service configuration change that can be said to neutralize CVE-2026-49175.
Disabling the DNS Client service would be an especially blunt response and could disrupt name resolution, domain behavior, application connectivity, and normal Windows management. Without vendor guidance supporting such a workaround, installing the security update is safer than attempting to redesign DNS behavior around an incompletely documented memory-corruption flaw.
Servers should not be deprioritized simply because the issue sits in the DNS Client. Windows servers perform DNS lookups constantly for Active Directory, management systems, application dependencies, update infrastructure, and other services. The vulnerable client-side component can be present even when the machine is not configured as a DNS server.
Endpoint detection and response controls remain important while updates roll out. Defenders should continue watching for suspicious child processes, token manipulation, unexpected service creation, security-tool interference, credential access, and persistence activity following execution under a low-privileged account. Those signals are not unique to CVE-2026-49175, but they cover the likely consequences of a successful elevation attempt more effectively than speculative DNS signatures.
Organizations using Microsoft Defender Vulnerability Management, Microsoft Intune, Windows Server Update Services, Configuration Manager, or another patch platform should track remediation by operating-system build. Scanners may initially lag behind Microsoft’s newly published metadata, so direct build checks can provide faster confirmation during the first hours of deployment.
CVE-2026-49175 arrived inside an unusually large July 2026 Patch Tuesday release. BleepingComputer counted 570 Microsoft fixes, while Trend Micro’s Zero Day Initiative noted multiple Windows DNS-related vulnerabilities in the same update set. CVE-2026-49175 is not the month’s most urgent internet-facing flaw, but its broad client-and-server footprint makes it a poor candidate for indefinite deferral.
The immediate task is straightforward: deploy the July 14 cumulative updates, confirm systems have reached the fixed builds, and prioritize machines where untrusted or low-privileged users can execute code. Until Microsoft publishes deeper exploitability details, patch compliance is the only dependable control specific to CVE-2026-49175.
Detailed in Microsoft’s Security Update Guide, the flaw allows an authorized attacker with local access to elevate privileges. It affects Windows 10, Windows 11, Windows Server 2022, and Windows Server 2025, making the monthly cumulative update the practical remedy for both endpoints and servers.
Microsoft’s initial advisory does not describe active exploitation or a publicly available proof of concept. That lowers the immediate emergency compared with July’s exploited zero-days, but the combination of memory corruption and privilege escalation still makes CVE-2026-49175 a meaningful post-compromise risk.
The DNS Client Is the Privilege Boundary Here
The affected component is the Windows DNS Client, not the DNS Server role. Administrators should therefore avoid treating this as a vulnerability limited to domain controllers or machines hosting Microsoft DNS. Ordinary workstations, member servers, virtual desktops, and Server Core installations can all fall within the affected product range.Microsoft describes the underlying weakness as a heap-based buffer overflow, categorized as CWE-122. This class of bug occurs when software writes beyond the allocated boundary of a memory region on the heap, potentially corrupting adjacent data and altering program behavior.
In this case, Microsoft says exploitation requires an authorized attacker and occurs locally. CVE-2026-49175 is consequently not presented as an unauthenticated, network-borne DNS attack capable of compromising any reachable Windows computer from the internet. An attacker must first obtain some level of access to the target system and then exploit the DNS Client flaw to gain higher privileges.
That distinction shapes the risk without making the flaw harmless. Local elevation-of-privilege vulnerabilities are routinely useful in attack chains: phishing, credential theft, a malicious installer, or exploitation of another service may provide the initial foothold, while a flaw such as CVE-2026-49175 can help the intruder escape the restrictions of a standard account.
A successful privilege escalation can potentially give an attacker the authority needed to disable protections, access other users’ data, extract credentials, establish persistence, or deploy tooling that would otherwise be blocked. Microsoft has not published enough technical detail to say exactly which privilege level is attainable or which Windows DNS Client operation triggers the overflow, so claims beyond the documented local elevation should be treated cautiously.
Supported Windows Releases Share the Exposure
Microsoft’s published affected-product data spans current client and server platforms. The fixed build thresholds associated with the vulnerability are:- Windows 10 Version 21H2 is affected before build 19044.7548.
- Windows 10 Version 22H2 is affected before build 19045.7548.
- Windows 11 Version 24H2 is affected before build 26100.8875.
- Windows 11 Version 25H2 is affected before build 26200.8875.
- Windows 11 version 26H1 is affected before the corresponding July serviced build in the 28000 branch.
- Windows Server 2022 is affected before build 20348.5386.
- Windows Server 2025, including Server Core, is affected before build 26100.33158.
The same caution applies to Windows 10 Version 22H2. By July 2026, many remaining Windows 10 systems will depend on Microsoft’s Extended Security Updates arrangements or specialized servicing editions. A device appearing in an affected-product table does not by itself guarantee that an unmanaged consumer installation will receive the fix automatically.
For administrators, installed build verification matters more than the marketing version alone. Windows 11 24H2 and Windows Server 2025 share the 26100 code base but have different servicing build numbers and update packages. Inventory and compliance tools should compare each device against the correct product-specific threshold rather than using a single build rule across the fleet.
A 7.8 Score Reflects Impact, Not Remote Reach
The CVSS 3.1 score of 7.8 places CVE-2026-49175 toward the upper end of Microsoft’s Important category. That score is consistent with a local attack requiring low-level existing privileges but producing substantial impact if exploitation succeeds.The score should not be read as evidence that exploitation is easy, reliable, or already occurring. CVSS measures technical characteristics and potential consequences; it does not provide a live threat-intelligence verdict. The vulnerability-maturity language accompanying records such as this one is intended to distinguish confirmed vendor findings from rumors, incomplete research, public proof-of-concept code, and observed attacks.
Here, the vulnerability’s existence and general root cause are confirmed through Microsoft’s disclosure. The public record identifies the affected component, the heap overflow, the local privilege-escalation impact, and the vulnerable product ranges. It does not yet provide the vulnerable function, trigger conditions, exploit reliability, or indicators of compromise.
That leaves defenders with reasonably high confidence that the bug is real and patched, but limited information for building behavior-based detections. There is no public basis at publication time for a DNS-specific firewall rule, registry workaround, or service configuration change that can be said to neutralize CVE-2026-49175.
Disabling the DNS Client service would be an especially blunt response and could disrupt name resolution, domain behavior, application connectivity, and normal Windows management. Without vendor guidance supporting such a workaround, installing the security update is safer than attempting to redesign DNS behavior around an incompletely documented memory-corruption flaw.
Patch Priority Depends on Who Can Log On
Because exploitation requires an authorized local attacker, exposure is driven partly by account access. Shared workstations, Remote Desktop Session Hosts, jump servers, developer machines, kiosks with interactive users, and systems that execute untrusted code deserve closer attention than tightly controlled appliances with no interactive logon path.Servers should not be deprioritized simply because the issue sits in the DNS Client. Windows servers perform DNS lookups constantly for Active Directory, management systems, application dependencies, update infrastructure, and other services. The vulnerable client-side component can be present even when the machine is not configured as a DNS server.
Endpoint detection and response controls remain important while updates roll out. Defenders should continue watching for suspicious child processes, token manipulation, unexpected service creation, security-tool interference, credential access, and persistence activity following execution under a low-privileged account. Those signals are not unique to CVE-2026-49175, but they cover the likely consequences of a successful elevation attempt more effectively than speculative DNS signatures.
Organizations using Microsoft Defender Vulnerability Management, Microsoft Intune, Windows Server Update Services, Configuration Manager, or another patch platform should track remediation by operating-system build. Scanners may initially lag behind Microsoft’s newly published metadata, so direct build checks can provide faster confirmation during the first hours of deployment.
CVE-2026-49175 arrived inside an unusually large July 2026 Patch Tuesday release. BleepingComputer counted 570 Microsoft fixes, while Trend Micro’s Zero Day Initiative noted multiple Windows DNS-related vulnerabilities in the same update set. CVE-2026-49175 is not the month’s most urgent internet-facing flaw, but its broad client-and-server footprint makes it a poor candidate for indefinite deferral.
The immediate task is straightforward: deploy the July 14 cumulative updates, confirm systems have reached the fixed builds, and prioritize machines where untrusted or low-privileged users can execute code. Until Microsoft publishes deeper exploitability details, patch compliance is the only dependable control specific to CVE-2026-49175.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com