CVE-2026-50370: Patch Windows DHCP Server RCE by July 14

Microsoft has patched CVE-2026-50370, a critical remote code execution vulnerability in the Windows DHCP Server service that can be triggered by an unauthenticated attacker on an adjacent network. Administrators running DHCP on Windows Server 2012 through Windows Server 2025 should treat the July 14, 2026 security updates as a priority deployment rather than waiting for a routine maintenance window.
Detailed in Microsoft’s Security Update Guide and recorded by the National Vulnerability Database, the flaw is a heap-based buffer overflow caused by improper input validation. Microsoft assigned it a CVSS 3.1 score of 8.8 and rates exploitation as more likely, although there was no indication at publication that attacks had already been observed or that the vulnerability had been publicly disclosed.
The important operational distinction is that this is not a conventional internet-wide RCE. Its CVSS attack vector is adjacent, meaning an attacker must be able to deliver malicious DHCP traffic from a network segment that can reach the server directly or through infrastructure configured to relay that traffic.

Cybersecurity network diagram showing VLANs, a DHCP server, UDP 67 alert, Wi-Fi, and patch monitoring.Malformed DHCP Traffic Reaches a Privileged Service​

CVE-2026-50370 carries the vector CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. In practical terms, exploitation requires low complexity, no existing account, no privileges, and no action from an administrator or end user.
A successful attack could produce a complete loss of confidentiality, integrity, and availability within the vulnerable service’s security context. Microsoft describes the underlying weakness as both CWE-20, improper input validation, and CWE-122, a heap-based buffer overflow. That combination indicates that specially constructed network input can corrupt memory while the DHCP Server service processes it, creating a potential path to attacker-controlled code execution.
DHCP is particularly sensitive infrastructure because clients rely on it before they have a complete network configuration. Windows Server receives DHCP client traffic on UDP port 67, while clients normally use UDP port 68. Those broadcasts are typically confined to a VLAN or subnet, but DHCP relay agents—often configured as IP helpers on routers and Layer 3 switches—forward requests between network segments.
That architecture widens the practical meaning of “adjacent.” An attacker does not necessarily need to be physically connected to the same switch as the server. Any client network whose DHCP traffic is forwarded to the affected Windows server may form part of the reachable attack surface.
This is also why simply checking whether UDP 67 is blocked at the internet perimeter is insufficient. Most properly designed environments will already prevent public access to DHCP, but internal segmentation, wireless guest networks, laboratory VLANs, VPN address pools, and relay configurations determine which systems can actually send traffic into the service.

The Server Role Defines the Real Exposure​

The affected product list includes Windows client releases because Windows 10 Version 1607 and Version 1809 share servicing components with corresponding Windows Server releases. For enterprise triage, however, the systems of immediate interest are machines where the DHCP Server role is installed and active.
Microsoft’s affected-version data identifies these corrected build thresholds:
  • Windows Server 2012 must be updated to build 6.2.9200.26226 or later.
  • Windows Server 2012 R2 must be updated to build 6.3.9600.23291 or later.
  • Windows Server 2016 and Windows 10 Version 1607 must reach build 14393.9339.
  • Windows Server 2019 and Windows 10 Version 1809 must reach build 17763.9020.
  • Windows Server 2022 must reach build 20348.5386.
  • Windows Server 2025 must reach build 26100.33158.
Server Core installations are affected where Microsoft lists them, so the absence of the full desktop interface offers no protection. Windows Server 2025 receives the fix through KB5099536, taking it to OS build 26100.33158; Windows Server 2022 receives KB5099540 and build 20348.5386; and Windows Server 2016 receives KB5099535 and build 14393.9339. Older platforms receive their corresponding July 2026 security-only or monthly rollup packages, including KB5099444 for applicable legacy servicing configurations.
Administrators should verify the installed OS build rather than relying only on a successful Windows Update status. Servers managed through WSUS, Microsoft Configuration Manager, Azure Update Manager, third-party patching systems, or manually imported Microsoft Update Catalog packages can report different deployment states depending on approval and reboot policies.
A restart may also be needed to place the corrected binaries into service. For DHCP failover pairs, patches should be staged so that lease availability remains intact while each partner is updated and restarted. The security urgency does not remove the need to preserve address assignment for endpoints, phones, wireless access points, and other infrastructure that depends on dynamic leases.

“Confirmed” Describes Evidence, Not Active Exploitation​

The report-confidence field supplied with CVE-2026-50370 is easy to misread. Microsoft marks the vulnerability as confirmed, meaning the vendor has sufficient technical evidence to validate that the flaw exists and that the reported behavior is credible.
It does not mean Microsoft has confirmed attacks in the wild. Report confidence measures certainty in the vulnerability and its technical description; exploitability assessments measure how likely working attacks are to emerge; and active-exploitation status records whether attacks have actually been observed. Those are separate signals.
At publication, the available data placed CVE-2026-50370 in a concerning middle position: the flaw was vendor-confirmed, Microsoft considered exploitation more likely, and the technical conditions did not require authentication or user interaction. Yet it was not listed as publicly disclosed or already exploited.
Tenable highlighted CVE-2026-50370 among several DHCP Server and DHCP Client vulnerabilities addressed in Microsoft’s unusually large July 2026 Patch Tuesday release. The volume of fixes should not allow this one to disappear into a general workstation rollout: DHCP servers are fewer in number, easier to inventory, and substantially more consequential when compromised or taken offline.
CISA’s initial decision model recorded no known exploitation and classified the issue as not readily automatable at that point, while recognizing that successful exploitation could have total technical impact. That assessment can change as researchers inspect the patches and compare corrected binaries with previous builds.

Patch First, Then Audit Every Relay Path​

The primary action is to install the July 2026 cumulative security update on every Windows server operating the DHCP role. If normal change controls prevent an immediate update, administrators should reduce the reachable client population and tightly restrict which relay agents and network interfaces can communicate with UDP 67 on the server.
That is a containment measure, not a substitute for patching. DHCP must remain reachable from legitimate clients and relays, making broad port blocking operationally disruptive and potentially ineffective if an attacker already controls an authorized segment.
A focused response should include checking installed roles with Server Manager or PowerShell, confirming the corrected OS build, reviewing DHCP failover partners, and mapping every router or switch configured to forward DHCP requests. Network teams should pay particular attention to guest, contractor, bring-your-own-device, industrial, and development segments that relay traffic to a shared Windows DHCP service.
DHCP snooping, switch-port controls, network access control, and segmentation can reduce opportunities for a malicious endpoint to transmit unexpected DHCP traffic. They should be considered defense-in-depth, however, because the vulnerability resides in the Windows service’s handling of input that reaches it.
CVE-2026-50370 is not an internet worm by definition, but it targets a foundational Windows Server role with unauthenticated, low-complexity input and a high-impact memory-corruption condition. The next milestone is straightforward: every production DHCP server should be on its July 14, 2026 patched build before public technical analysis turns Microsoft’s confirmed vulnerability into a repeatable attack.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
  2. Official source: learn.microsoft.com
 

Back
Top