CVE-2026-50518: Patch Windows DHCP Server RCE Rated 9.8 Critical

CVE-2026-50518 gives an unauthenticated attacker a potential path to remote code execution on Windows DHCP Server, earning Microsoft’s highest practical CVSS rating of 9.8 Critical. The flaw was disclosed with Microsoft’s July 14, 2026 security updates and should move near the front of deployment queues wherever Windows provides DHCP services.
Detailed in Microsoft’s Security Update Guide and subsequently published by the National Vulnerability Database, the vulnerability is a heap-based buffer overflow tracked as CWE-122. Microsoft says exploitation can occur over a network without credentials or user interaction, while its Exploitability Index rates attacks as “Exploitation More Likely.”
There was no evidence of active exploitation as of July 15. CISA’s initial assessment recorded exploitation as “none,” but classified the attack as automatable and its potential technical impact as total. That combination makes this less of an incident-response emergency than an actively exploited zero-day, but not a patch administrators should leave for the end of the month.

Infographic detailing a critical Windows Server DHCP vulnerability, failover architecture, attack vector, and patch recommendations.The CVSS Vector Leaves Little Room for Comfort​

Microsoft assigned CVE-2026-50518 the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. Every major element points toward a vulnerability that could be practical to weaponize if researchers or attackers develop a reliable exploit.
The network attack vector means malicious input can reach the vulnerable component remotely rather than requiring local access. Attack complexity is low, no privileges are required, and exploitation needs no action from an administrator or connected client. Microsoft also assigns high potential impact across confidentiality, integrity, and availability.
The underlying memory-safety defect is a heap-based buffer overflow. In general, this class of error occurs when software writes more data into a heap allocation than it was designed to hold, potentially corrupting adjacent memory. Depending on memory layout and available mitigations, the result may range from a DHCP service crash to attacker-controlled code execution.
Microsoft has not publicly documented the precise DHCP message, parsing path, or service state needed to trigger CVE-2026-50518. Administrators should therefore avoid assuming that a firewall rule, DHCP scope configuration, or relay topology provides complete protection unless Microsoft later identifies a specific workaround.
The published confidence metrics are also important. The temporal vector lists report confidence as confirmed and remediation as an official fix, meaning the vulnerability is vendor-acknowledged and addressed by released updates. Exploit code maturity remains unproven, but Microsoft’s “Exploitation More Likely” judgment indicates that its security team considers future weaponization plausible.

Windows Server 2012 Through Server 2025 Are in Scope​

The affected-product record spans several generations of Windows Server, including both full installations and Server Core where listed. Microsoft’s corrected build thresholds show the versions that contain the security fix:
  • Windows Server 2012 must be updated to build 6.2.9200.26226 or later.
  • Windows Server 2012 R2 must be updated to build 6.3.9600.23291 or later.
  • Windows Server 2016 must be updated to build 10.0.14393.9339 or later.
  • Windows Server 2019 must be updated to build 10.0.17763.9020 or later.
  • Windows Server 2022 must be updated to build 10.0.20348.5386 or later.
  • Windows Server 2025 must be updated to build 10.0.26100.33158 or later.
The CVE record also identifies Windows 10 Version 1607 and Windows 10 Version 1809 branches, with fixed-build boundaries matching their corresponding server codebases. That does not mean every ordinary Windows 10 workstation is operating as a DHCP server, but inventory and vulnerability-management products may still flag these product versions based on Microsoft’s affected-platform data.
Server Core does not provide an escape hatch. Windows Server 2012, 2012 R2, 2016, 2019, and 2025 Core installations appear in the affected record, while Windows Server 2022 is listed without a separate Core entry. Administrators should rely on the installed operating-system build and Microsoft’s update applicability data rather than the presence or absence of a desktop shell.
The inclusion of Windows Server 2012 and 2012 R2 also raises a support question. Those releases are beyond standard extended support and generally require Extended Security Updates or another applicable servicing arrangement. An old server continuing to distribute addresses reliably is still an old server running remotely reachable infrastructure code, and its apparent stability does not reduce the vulnerability’s severity.

DHCP Turns a Server Bug Into an Infrastructure Risk​

DHCP is rarely treated like a user-facing application, yet it sits at a foundational point in most Windows networks. Clients depend on it for address leases and commonly receive routing, DNS, domain, and other configuration through the service. Compromise or disruption can therefore affect much more than the Windows host running the role.
A successful remote-code-execution attack could potentially give an intruder control in the security context used by the vulnerable service. Microsoft has not published enough technical detail to state what post-exploitation privileges are reliably attainable, but the CVSS impact ratings contemplate complete loss of confidentiality, integrity, and availability on the affected system.
Even an unsuccessful attempt could matter operationally. Heap corruption frequently causes process termination before exploit developers achieve reliable code execution. Repeated malformed traffic could therefore create DHCP outages, interrupt lease processing, or force failover systems to carry unexpected load.
Exposure should be evaluated by network path rather than by asking whether a DHCP server is “internet-facing.” DHCP traffic is usually constrained to local broadcast domains and relayed across routed networks, but compromised endpoints, malicious devices, incorrectly filtered relay traffic, and complex enterprise segmentation can place hostile input within reach. A server can be shielded from the public internet and still have a substantial internal attack surface.
DHCP failover does not remove the need to patch either partner. It may provide service continuity while one node is maintained, but leaving the secondary server vulnerable simply preserves an alternate target. Administrators should use failover to stage deployment and reduce downtime, not as a security mitigation.

July’s DHCP Fixes Need to Be Tested as a Group​

CVE-2026-50518 is not the only DHCP-related issue in Microsoft’s July 2026 release. Lansweeper’s Patch Tuesday analysis highlighted it alongside CVE-2026-50370, another DHCP Server remote-code-execution flaw, and CVE-2026-54128 in the Windows DHCP Client. All three received Microsoft’s “Exploitation More Likely” assessment.
The broader July release also includes additional DHCP Server vulnerabilities covering remote code execution and denial of service. That concentration suggests administrators should validate the cumulative update against the entire DHCP workload rather than testing only for the absence of CVE-2026-50518.
For Windows DHCP deployments, post-update checks should cover service startup, lease issuance and renewal, reservations, scope options, authorization in Active Directory, audit logging, and any configured failover relationship. Networks using DHCP relay agents should verify lease traffic from each routed segment, since a test performed only on the server’s local subnet may miss relay-specific problems.
Monitoring deserves similar attention after rollout. Administrators should watch the DHCP Server event channels, service state, failover replication, address-pool utilization, and unusual increases in malformed or rejected traffic. Security teams with supported Check Point gateways can also deploy the vendor’s newly released IPS protection for CVE-2026-50518 as an additional detection layer, though an IPS signature is not a substitute for the Microsoft update.
The immediate objective is straightforward: identify every Windows system providing DHCP, confirm its July 2026 cumulative update and resulting build number, and patch both members of any failover pair. With no active exploitation reported, administrators have a narrow opportunity to test methodically—but Microsoft’s exploitability assessment argues against turning that opportunity into a prolonged delay.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
  2. Related coverage: cyber.gov.au
  3. Related coverage: datacomm.com
 

Back
Top