Skip to main content

Windows DHCP Client CVE-2026-44815

| EUVDEUVD-2026-35751 CRITICAL
Stack-based Buffer Overflow (CWE-121)
2026-06-09 secure@microsoft.com GHSA-wwrj-9chx-qprx
9.8
CVSS 3.1 · NVD
Temporal: 8.5
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CIRCL (temporal)
8.5 HIGH
cvss

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch available
Jun 09, 2026 - 19:03 EUVD
Analysis Generated
Jun 09, 2026 - 18:31 vuln.today
CVE Published
Jun 09, 2026 - 17:17 nvd
CRITICAL 9.8

DescriptionNVD

Stack-based buffer overflow in Windows DHCP Client allows an unauthorized attacker to execute code over a network.

AnalysisAI

Remote code execution in the Windows DHCP Client is possible when a stack-based buffer overflow (CWE-121) is triggered by a crafted DHCP server response, allowing an unauthorized network attacker to run arbitrary code with no user interaction. The flaw carries a CVSS 9.8 critical rating reflecting network reachability, low complexity, and full impact on confidentiality, integrity, and availability, and no public exploit identified at time of analysis. Because the DHCP client runs early in the network stack on virtually every Windows host, successful exploitation grants attacker-controlled code execution in a highly privileged context.

Technical ContextAI

The vulnerability lives in the Windows DHCP Client component, which is responsible for parsing DHCP OFFER/ACK messages (RFC 2131) received on UDP port 68 from a DHCP server. CWE-121 (Stack-based Buffer Overflow) indicates that the client copies attacker-supplied data - likely an option field, hostname, or vendor-specific value - into a fixed-size stack buffer without adequate bounds checking, allowing adjacent stack memory including the saved return address or structured exception handler to be corrupted. The DHCP client service typically runs with elevated system privileges and processes broadcast traffic before any user logs in, making the parser an attractive pre-authentication attack surface. CPE-level enumeration of affected SKUs was not provided in the references, so the precise Windows versions must be confirmed via the MSRC advisory.

RemediationAI

Patch available per vendor advisory: apply the Microsoft security update referenced at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-44815 as soon as the affected Windows builds are identified in the MSRC update guide, prioritizing internet-facing or untrusted-network-connected hosts (laptops on public Wi-Fi, kiosks, jump boxes) first. As compensating controls until patches are deployed, restrict the DHCP client to trusted network segments by enforcing DHCP snooping and rogue-DHCP-server detection on managed switches, block inbound UDP/68 at host firewalls on systems that use static IP assignments, and consider disabling the 'DHCP Client' service ('Dhcp') on servers with static addressing - note the trade-off that this will break dynamic addressing, Group Policy DNS registration of dynamic clients, and any feature relying on DHCP option discovery. On segments where DHCP cannot be disabled, isolating untrusted devices on a separate VLAN reduces the broadcast domain an attacker would need to reach to deliver a malicious response, but does not eliminate risk from a compromised same-segment peer.

Share

CVE-2026-44815 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy