Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionNVD
Stack-based buffer overflow in Windows DHCP Client allows an unauthorized attacker to execute code over a network.
AnalysisAI
Remote code execution in the Windows DHCP Client is possible when a stack-based buffer overflow (CWE-121) is triggered by a crafted DHCP server response, allowing an unauthorized network attacker to run arbitrary code with no user interaction. The flaw carries a CVSS 9.8 critical rating reflecting network reachability, low complexity, and full impact on confidentiality, integrity, and availability, and no public exploit identified at time of analysis. Because the DHCP client runs early in the network stack on virtually every Windows host, successful exploitation grants attacker-controlled code execution in a highly privileged context.
Technical ContextAI
The vulnerability lives in the Windows DHCP Client component, which is responsible for parsing DHCP OFFER/ACK messages (RFC 2131) received on UDP port 68 from a DHCP server. CWE-121 (Stack-based Buffer Overflow) indicates that the client copies attacker-supplied data - likely an option field, hostname, or vendor-specific value - into a fixed-size stack buffer without adequate bounds checking, allowing adjacent stack memory including the saved return address or structured exception handler to be corrupted. The DHCP client service typically runs with elevated system privileges and processes broadcast traffic before any user logs in, making the parser an attractive pre-authentication attack surface. CPE-level enumeration of affected SKUs was not provided in the references, so the precise Windows versions must be confirmed via the MSRC advisory.
RemediationAI
Patch available per vendor advisory: apply the Microsoft security update referenced at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-44815 as soon as the affected Windows builds are identified in the MSRC update guide, prioritizing internet-facing or untrusted-network-connected hosts (laptops on public Wi-Fi, kiosks, jump boxes) first. As compensating controls until patches are deployed, restrict the DHCP client to trusted network segments by enforcing DHCP snooping and rogue-DHCP-server detection on managed switches, block inbound UDP/68 at host firewalls on systems that use static IP assignments, and consider disabling the 'DHCP Client' service ('Dhcp') on servers with static addressing - note the trade-off that this will break dynamic addressing, Group Policy DNS registration of dynamic clients, and any feature relying on DHCP option discovery. On segments where DHCP cannot be disabled, isolating untrusted devices on a separate VLAN reduces the broadcast domain an attacker would need to reach to deliver a malicious response, but does not eliminate risk from a compromised same-segment peer.
Same weakness CWE-121 – Stack-based Buffer Overflow
View allSame technique Stack Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35751
GHSA-wwrj-9chx-qprx