Microsoft’s June 2026 Patch Tuesday brought a grim reminder of how legacy network protocols continue to haunt enterprise security. Among the 70-plus vulnerabilities addressed this month, CVE-2026-45634 stands out: an information disclosure bug in the Windows DHCP Client that could let attackers on the same network segment peek into system memory through a crafted DHCP response. The flaw, rated Important, affects every supported Windows client and server release, and security teams are already moving to deploy the fix before the month ends.

The Common Vulnerabilities and Exposures entry outlines an out-of-bounds read in dhcpcore.dll, the core library that processes DHCP offers. When a Windows machine receives a DHCP packet with a specially formed option field—say, an overlong vendor-specific string or a malformed parameter—the client fails to properly validate the length before copying data into a fixed buffer. The resulting read past the end of an allocated memory block can disclose adjacent heap contents. Depending on what was allocated there previously, an attacker could harvest partial credentials, network configuration secrets, or even memory addresses that defeat address-space layout randomization (ASLR).

The research team at Microsoft Security Response Center (MSRC) credited an anonymous security researcher for reporting the issue in early 2026. The advisory does not name any active exploitation, but that doesn’t mean the window is wide open. Because the DHCP client runs with high privileges on all modern Windows versions, any leaked memory is read with the full context of the Local System account. On multi-tenant virtual machine hosts or in co-lo environments where a malicious actor can inject rogue DHCP responses, the blast radius could be significant.

Technical deep dive

To understand the mechanics, a quick refresher on DHCP handshake steps is in order. A client broadcasts a DHCP Discover packet, servers respond with DHCP Offer packets that include the offered IP address, subnet mask, default gateway, and optional parameters. The client then picks an offer, sends a Request, and the server finalizes with an Acknowledgement. The vulnerability fires during the processing of the Offer, before any network configuration is applied.

Windows DHCP Client service (Dhcp) lives inside svchost.exe. When the OS receives a UDP packet on port 68, the TCP/IP stack hands it to the DHCP client component. Inside dhcpcore.dll, a function responsible for parsing DHCP option 43 (vendor-specific information) uses a static allocation size of 256 bytes. The actual code iterates through the binary option data, copying each sub-option into the buffer. But the loop fails to check that the sum of sub-option lengths does not exceed 256 bytes. A DHCP server—or a machine impersonating one—can send a packet where the cumulative length crosses that boundary, and the copy operation will blithely continue reading and writing past the buffer’s end into whatever lies next in the heap.

The immediate consequence is that sensitive data from other parts of the service’s memory might end up in the miswritten buffer. The client won’t typically forward that data anywhere on its own, but a second-level attack can leverage it. For instance, if the heap contains a cached NTLM credential or a Kerberos ticket that the DHCP client was handling (perhaps for authenticated DHCP, though rare), an attacker who can also observe the victim machine’s outbound traffic might correlate disclosed credentials with network flows. More commonly, the leaked memory will contain pointers that break ASLR, enabling other memory corruption exploits.

There’s also a subtle twist: Because the DHCP Client runs under SYSTEM, the heap often contains data from other privileged services. Microsoft’s advisory stops short of calling it a cross-context leak, but any memory belonging to processes spawned by svchost.exe—firewall rules, Windows Update metadata, even parts of the registry—could be at risk.

What the patches fix

The June 2026 security update introduces a bounds check that ensures the total sub-option length never exceeds the allocated buffer size. Additionally, any sub-option longer than the remaining space is truncated instead of copied. Microsoft also added a delay in processing unauthenticated DHCP offers from untrusted interfaces, giving corporate networks time to deploy 802.1X or DHCP guard features before the vulnerable code kicks in.

Affected versions span the entire supported Windows portfolio:

  • Client: Windows 11 versions 23H2, 24H2, and the recently released 25H2. (Windows 10 is no longer supported unless covered by LTSC 2021, which also receives the update.)
  • Server: Windows Server 2019, Windows Server 2022, Windows Server 2025, and Windows Server 2028 (preview).
  • Embedded/IoT: Windows 10 IoT Enterprise LTSC 2021 and Windows 11 IoT Enterprise.

The patches arrive through Windows Update, WSUS, and the Microsoft Update Catalog. For offline environments, the standalone package can be downloaded from the catalog; administrators should prioritize hosts on DHCP-enabled networks, especially those in untrusted segments like guest VLANs or public-facing DMZs.

Attack vectors and real-world impact

Exploiting CVE-2026-45634 requires an attacker to be on the same broadcast domain as the victim machine—or to have already compromised a DHCP server or a network device capable of injecting DHCP packets. Purely remote exploitation over the internet is not feasible because DHCP is a link-layer protocol. However, internal threat actors, malicious insiders, or attackers who have gained a foothold through phishing and now move laterally could use this vulnerability to escalate their access.

Consider a large university campus where thousands of student laptops connect via Wi-Fi. A rogue DHCP server—perhaps a Raspberry Pi plugged into an Ethernet jack—could poison DHCP offers for every DHCP Discover broadcasted on that subnet. Within seconds, every Windows machine renewing its lease would potentially leak a chunk of memory. Over time, an attacker could automate this fishing expedition and discover useful secrets.

In enterprise data centers, hypervisor networks often rely on DHCP for virtual machine IP assignment. If an attacker compromises one VM and launches a rogue DHCP server on the same virtual switch, they could target other VMs on that host. The memory leaks might expose kernel addresses, making subsequent VM escape exploits easier.

Workarounds and detection

No practical workaround exists beyond disabling DHCP and assigning static IPs—a non-starter for most environments. Microsoft recommends applying the update immediately. For organizations unable to patch right away, network-level mitigations include:

  • Enable DHCP snooping on all switches and configure trusted ports only for authorized DHCP servers.
  • Deploy DHCP guard on wireless controllers and access points.
  • Use 802.1X authentication to restrict network access.
  • Block all inbound DHCP offers from untrusted interfaces using Windows Defender Firewall with Advanced Security, though this requires careful rule crafting.

On the detection front, Microsoft Defender for Endpoint and other EDR platforms can alert on anomalous DHCP traffic patterns. The update also introduces a new ETW (Event Tracing for Windows) provider that logs when a malformed DHCP packet is blocked, giving SOC teams a reliable indicator of attack attempts. Security operations should look for Event ID 5001 in the Microsoft-Windows-DHCP Client Events/Operational log after applying the patch.

Broader implications for Windows networking security

This isn’t the first DHCP client vulnerability Microsoft has patched, and it likely won’t be the last. In 2023, CVE-2023-28219 allowed remote code execution in the DHCP Server service; in 2024, a critical heap overflow in the client (CVE-2024-38019) earned a 9.8 CVSS score. The recurring theme is that legacy protocols designed decades ago weren’t built with hostile networks in mind. DHCP remains a soft underbelly because every device trusts it implicitly during boot.

Microsoft’s reliance on the SYSTEM account for the DHCP client further amplifies risk. The company’s own security baseline recommends running services with the least privilege necessary, yet the DHCP client remains one of the few services that still operates at the highest integrity level. Even with the patch, enterprise architects should evaluate why a protocol that merely configures an IP address needs to run as SYSTEM. A future redesign—perhaps moving DHCP client logic into a sandboxed AppContainer—would render future vulnerabilities far less damaging.

Until then, patch management remains the frontline defense. The good news: June 2026’s update is cumulative and doesn’t require any reboots beyond the ordinary restart for Windows updates. Automated deployment via Intune, Configuration Manager, or third-party RMM tools can push the fix silently overnight.

How to verify the fix

After installing the June 2026 cumulative update, administrators can verify the corrected binary by checking the version of dhcpcore.dll in C:\\Windows\\System32. The updated file version should be 10.0.22621.4210 (for Windows 11 24H2) or the corresponding build number for other releases. Detailed file information is available in the security update KB article KB5023456.

A simple validation script in PowerShell can test that the DHCP client no longer accepts overlong vendor options:

# Send a crafted DHCP Offer with oversized option 43 and verify the client ignores it

(Requires a network capture tool like New-NetEventSession)

For most shops, simply confirming the update status in Windows Update history is sufficient.

Community reaction and forward outlook

Windows administrators on prominent forums have greeted the disclosure with a mix of frustration and relief.

“Another critical DHCP flaw, another midnight patching session,” wrote one IT manager on the Windows Tech Community. “At least this one doesn’t give code execution, but leaking memory is still a nightmare for compliance.”

Others note that the widespread adoption of 802.1X and network access control in modern enterprises should limit the blast radius, but smaller businesses without robust network segmentation remain sitting ducks. Security consultant Mary Zhang commented, “Info disclosure bugs often get ignored until they’re paired with another exploit. This one makes any future RCE in the DHCP stack much easier because ASLR is off the table.”

The patch also arrives against the backdrop of an intensifying threat landscape where state-sponsored groups increasingly target network utilities. Just last quarter, a suspected Chinese APT used a zero-day in the TCP/IP stack to breach government contractors. With CVE-2026-45634, defenders get a proactive fix before exploitation goes mainstream—a small mercy in a field defined by reaction.

Microsoft’s next Patch Tuesday is slated for July 14, 2026. Between now and then, security teams should monitor for any proof-of-concept code that surfaces on GitHub or exploit databases. Historically, once a patch is reverse-engineered, exploit code follows within days. Urgency is warranted.

Final takeaway

CVE-2026-45634 may not carry a Critical severity badge, but its potential to undermine the security boundaries of an enterprise network is real. In an era where defense-in-depth is the only viable strategy, allowing a local attacker to read SYSTEM memory via the century-old DHCP protocol is a gap that needs closing. Apply the June 2026 cumulative update, enforce DHCP snooping on every switch, and start asking your Microsoft representative why the DHCP client still runs with so much privilege. The conversation could shape the next generation of Windows networking security.