CVE-2026-50518
Windows DHCP Server Remote Code Execution Vulnerability
Description
Heap-based buffer overflow in Windows DHCP Server allows an unauthorized attacker to execute code over a network.
In plain language
AI Act nowThis is a Windows DHCP Server flaw that can let an attacker run malicious code remotely without logins or user clicks; if you run DHCP Server on the affected Windows versions, you should treat it as urgent and patch.
CVE-2026-50518 is an unauthenticated, network-reachable heap-based buffer overflow in the Windows DHCP Server that can allow remote arbitrary code execution (CWE-122) with no user interaction required.
What to do now
- Check whether this device runs the DHCP Server role (and whether DHCP server traffic can reach it).
- Confirm the exact Windows version/build number on the server (Windows 10 or one of the listed Windows Server versions).
- Upgrade/patch to the fixed build for your specific branch: Windows 10 10.0.14393.9339 or 10.0.17763.9020; Windows Server 2012 6.2.9200.26226; Windows Server 2012 R2 6.3.9600.23291; Windows Server 2016 10.0.14393.9339; Windows Server 2019 10.0.17763.9020; Windows Server 2022 10.0.20348.5386; Windows Server 2025 10.0.26100.33158.
- If patching must be delayed, restrict network access so untrusted clients/networks cannot reach the DHCP Server service (allow only your approved admin networks and subnets).
CVSS Vector Breakdown
AV:NAttack VectorAC:LAttack ComplexityPR:NPrivileges RequiredUI:NUser InteractionS:UScopeC:HConfidentialityI:HIntegrityA:HAvailabilityWeaknesses
Affected Products
Exploitability
Attack Graph
Click technique nodes for MITRE ATT&CK details · drag to pan · Ctrl/⌘ + scroll to zoom, or go fullscreen.
MITRE ATT&CK
1 techniqueReferences
- Цунами уязвимостей: июльский Microsoft Patch Tuesdayru-ru·Kaspersky Daily (RU)· Summary only·
- Microsoft and Adobe Patch Tuesday, July 2026 Security Update Reviewen-us·Qualys Security Blog·
- Microsoft Patch Tuesday for July 2026 — Snort rules and prominent vulnerabilitiesen·Cisco Talos·
- Microsoft Patch Tuesday July 2026 - The AI Acopolypse is Hereen·SANS Internet Storm Center·
- Microsoft Patches Record 622 Vulnerabilities, Including Two Exploited Zero-Daysen-us·SecurityWeek·
- Microsoft July 2026 Patch Tuesday fixes massive 570 flaws, 3 zero-daysen-us·BleepingComputer·
Unlock Complete Vulnerability Intelligence
Get the full picture for CVE-2026-50518 and every CVE in our database. Create a free account — no credit card required.
Create Free Account