Microsoft released its July 2026 security updates on Tuesday, and among them is a fix for a critical remote-code-execution vulnerability in the Windows DHCP Server service. Rated 9.8 out of 10 on the CVSS scale, CVE-2026-56159 can be exploited by an unauthenticated attacker over the network, with no user interaction required. Every server running the DHCP role, from Windows Server 2012 to 2025, needs the patch immediately.

The Vulnerability: A Heap Overflow Waiting to Be Exploited

The flaw is a heap-based buffer overflow, classified as CWE-122. That means the DHCP service can be tricked into writing more data than a heap memory buffer can hold, corrupting adjacent memory and potentially allowing an attacker to redirect execution flow and run their own code. Microsoft’s advisory describes the attack vector as network-based, with low attack complexity and no requirement for privileges or user interaction. In short, a remote attacker who can send a specially crafted packet to a DHCP server can take it over.

Technical specifics are deliberately sparse. The public advisory does not disclose which DHCP message, option, or malformed input triggers the vulnerability. That’s standard practice: it buys time for organizations to patch before researchers or criminals reverse-engineer the fix and develop exploits. But the sheer severity means every hour counts.

Affected Versions and Builds

The July 2026 cumulative updates address the vulnerability in every supported Windows Server release, including Server Core installations. The following table shows the fixed build numbers. Any server below these build levels remains vulnerable.

Version Fixed Build
Windows Server 2012 6.2.9200.26226
Windows Server 2012 R2 6.3.9600.23291
Windows Server 2016 10.0.14393.9339
Windows Server 2019 10.0.17763.9020
Windows Server 2022 10.0.20348.5386
Windows Server 2025 10.0.26100.33158

Two Windows 10 editions—version 1607 and 1809—also received fixes because they share a servicing base with Server 2016 and 2019, respectively. But in practice, only systems actually running the DHCP Server service are at risk, and that service is almost never active on client SKUs.

Windows Server 2012 and 2012 R2 require special attention. Mainstream support ended in October 2023. To receive the July 2026 security update, you must have an active Extended Security Updates (ESU) license. An unpatched legacy DHCP server lingering in a branch office or DR site can still provide an entry point, even if your primary servers are up to date.

The DHCP Server: A Prime Target

DHCP servers sit at the heart of network operations. They assign IP addresses, distribute subnet masks, gateways, DNS servers, and sometimes domain-specific configuration to every device that joins the network. In many Windows environments, the DHCP service also integrates with Active Directory and DNS dynamic updates. A compromise on this server is not just a single machine takeover; it is a potential launching pad for credential theft, network eavesdropping, DNS poisoning, and lateral movement.

The attack vector is not exclusively external. Most enterprise DHCP servers are not exposed to the public internet. They reside on internal network segments and receive requests forwarded by routers or DHCP relays. However, the vulnerable service accepts traffic from any system that can reach its network port. A compromised endpoint, an infected guest device, an unmanaged IoT gadget, or a malicious insider on the same subnet could send the specially crafted packet. DHCP relay configurations can extend this exposure across subnet boundaries, effectively widening the attack surface.

Your Action Plan: Patch, Verify, Segregate

Patching is mandatory, but you must do it without breaking essential network services. Here is how to proceed.

Step 1: Inventory every DHCP server. Don’t rely on architecture diagrams alone. Check Server Manager, the DHCPServer service in PowerShell (Get-Service DHCPServer), and Windows Feature lists. Look for forgotten DHCP instances on lab machines, disaster-recovery replicas, and decommissioned hardware that someone forgot to turn off.

Step 2: Prioritize. All DHCP servers are critical, but start with those that serve large numbers of users or sit in sensitive network zones. Servers directly reachable from guest or BYOD VLANs deserve immediate attention.

Step 3: Apply the July 2026 cumulative update. If you use DHCP failover (two servers sharing responsibility for the same scopes), patch one partner at a time. After rebooting, verify that the patched server is distributing leases correctly—check the failover state, scope health, lease activity, and event logs—before patching its partner.

For split-scope deployments, follow the same staggered approach. In clustered or virtualized environments, ensure that live migration or failover policies don’t inadvertently move workloads back to an unpatched node.

Step 4: Verify the fix. Use winver, systeminfo, or PowerShell to confirm that the OS build matches the fixed numbers above. Configuration-management tools should validate the actual installed build, not just that an update installation command completed.

Step 5: Reduce exposure where immediate patching isn’t possible. If a server must remain unpatched for a short period due to change-freeze or compatibility testing, tighten network access controls. Restrict DHCP and relay traffic to only trusted client subnets and authorized relay IP addresses. Disable the DHCP Server service on systems that don’t need it. These are stopgap measures; they don’t eliminate the vulnerability.

Step 6: Monitor. Because exploit details aren’t public yet, you can’t rely on a single packet signature. Instead, watch for unusual DHCP server crashes, unexpected service restarts, suspicious child processes spawning from the DHCP service, and anomalous inbound traffic patterns.

What We Know About Real-World Risk

As of July 15, 2026, there is no evidence of active exploitation in the wild. CISA’s initial assessment marked observed exploitation as “none.” That is good news, but it should not lull anyone into inaction. The vulnerability is confirmed, it’s automatable, and the released patches give both defenders and attackers a clear before-and-after comparison. Patch-diffing can quickly reveal the code change and help craft working exploits. The first days after a Patch Tuesday are the most dangerous for unpatched systems.

History shows that DHCP flaws attract attention. In 2019, CVE-2019-0726—also a DHCP server remote code execution—prompted rapid exploitation after details surfaced. The current vulnerability is even more dangerous because it carries a network attack vector with no authentication, rather than requiring adjacent network access.

Looking Ahead

Given the 9.8 score and the DHCP role’s privileged position, security researchers will likely release proof-of-concept code soon. CISA may add CVE-2026-56159 to its Known Exploited Vulnerabilities catalog, triggering mandatory patching deadlines for U.S. federal agencies. That, in turn, often accelerates enterprise adoption.

In the longer term, treat this as a reminder to scrutinize your DHCP architecture. Limit relay boundaries, segment management networks, and enforce strict access controls on protocols like DHCP that were designed decades ago with little security in mind.

For now, the most important step is clear: patch every Windows DHCP server you manage. There’s no configuration workaround, and no amount of network filtering can guarantee protection against a heap overflow inside a core service. The July 2026 updates are the only reliable fix.