Microsoft has released patches to close a high-severity vulnerability in Windows DHCP Server that could let an attacker with adjacent network access escalate privileges and take over the system. Tracked as CVE-2026-50683 and rated with a CVSS score of 8.0, the flaw was fixed in the July 14, 2026 security update and affects nearly every supported Windows Server release.

What the vulnerability actually does

CVE-2026-50683 is a heap-based buffer overflow in the Windows DHCP Server service. According to Microsoft’s advisory, an authorized attacker who has achieved adjacent network access can exploit the flaw with low complexity, without any user interaction, to elevate privileges. The impact spans full confidentiality, integrity, and availability loss—meaning a successful exploit could hand an attacker complete control of the server.

The National Vulnerability Database (NVD) classifies it under CWE-122 (heap-based buffer overflow) and lists the vulnerable component as Windows DHCP Server. Despite some initial confusion among security products that labeled it a client issue, Microsoft’s CVE record is unambiguous: the problem lies in the server, not the client. The distinction matters because DHCP clients and servers have vastly different risk profiles. A compromised DHCP server can be used to further pivot across a network, manipulate address assignments, or intercept traffic.

Which systems are affected — and which aren’t

The affected list is long and includes every mainstream Windows Server SKU from the past decade and more:

  • Windows Server 2012 (including Server Core)
  • Windows Server 2012 R2 (including Server Core)
  • Windows Server 2016 (including Server Core)
  • Windows Server 2019 (including Server Core)
  • Windows Server 2022 (including Server Core)
  • Windows Server 2025 (including Server Core)
  • Windows 10 version 1607 and version 1809 (only in specific long‑term servicing or specialized configurations)

Windows 11 client editions are not listed, which aligns with Microsoft’s designation that this is a server‑side bug. If you are running a stock Windows 11 desktop, you are not directly affected—unless you have enabled the DHCP Server role on that machine, an extremely rare home‑user scenario.

The table below shows the minimum build numbers that include the fix. Your system must meet or exceed these after installing the July 2026 update:

Windows Release Required Minimum Build
Server 2012 6.2.9200.26226
Server 2012 R2 6.3.9600.23291
Server 2016 / Win10 1607 10.0.14393.9339
Server 2019 / Win10 1809 10.0.17763.9020
Server 2022 10.0.20348.5386
Server 2025 10.0.26100.33158

Note: Windows Server 2012 and 2012 R2 require Extended Security Updates (ESU) to receive this fix. Organizations still running these versions without ESU are no longer supported and face a lifecycle gap in addition to this CVE.

The attacker’s position: why “adjacent network” still matters

The CVSS vector is AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. In practical terms, an attacker must be on the same logical network segment as the DHCP server—they cannot launch this attack from across the open internet. The attack complexity is low, meaning it does not rely on a special race condition or exotic configuration. The attacker needs some existing authorization (low privilege), but once positioned, no user interaction is required, and no suspicious prompt will appear.

“Adjacent network” might sound like a high bar, but in typical enterprise environments it is frighteningly attainable. Consider these real-world paths:

  • A compromised employee workstation on the same VLAN as the server
  • An unmanaged IoT device or contractor laptop plugged into a campus port
  • A guest Wi‑Fi network with loose segmentation that can reach the management VLAN
  • A hostile virtual machine inside an internal cloud or lab environment

For many organizations, the segment that contains DHCP servers also hosts other critical infrastructure. The low complexity coupled with the lack of any user interaction makes this flaw especially dangerous once an initial foothold is gained. Microsoft rates the confidentiality, integrity, and availability impact as “high” in all three areas, stressing that exploitation could result in full system compromise.

How to check if you’re patched

The only reliable way to confirm protection is to verify the OS build number. Simply relying on Windows Update’s “up to date” indicator is not enough: a pending reboot, installation failure, or update deferral can leave you vulnerable even after a scan reports success.

For admins managing DHCP servers, follow these steps:

  1. Identify every Windows DHCP server — don’t trust only the “DHCP Server” role in your inventory. Check branch appliances, failover partners, test labs, and retired machines that may still be online.
  2. Apply the July 14, 2026 security update for your specific version.
  3. Restart the system if not automatically performed.
  4. Check the build number using winver or PowerShell:
    Get-ComputerInfo -Property OsVersion, OsBuildNumber
  5. Compare against the minimum build in the table above. If the build is lower, repeat the update process and investigate failures.
  6. Verify DHCP service health post‑reboot, especially in failover pairs.

For failover clusters, patch one node at a time to maintain address availability. Ensure each node reaches the corrected build before moving to the next.

Why this patch shouldn’t wait

As of July 15, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) had not seen active exploitation, but its assessment of “none” is based on data available at the time the CVE was processed. The technical impact was pegged as “total.” History shows that once a Microsoft security update is released, reverse‑engineering of the patch becomes trivial for skilled attackers. A public proof‑of‑concept or weaponized exploit often follows within days or weeks.

Microsoft rated the attack complexity as low. That signals the company does not expect exploit development to require rare conditions or deep research. Combine that with the wide deployment of DHCP services in virtually every Active Directory environment, and the window between patch availability and potential exploitation is narrow.

Temporary workarounds can reduce risk while you test and deploy the patch:

  • Restrict network access to DHCP server interfaces, allowing only trusted management subnets.
  • Enforce strict VLAN segmentation to isolate server VLANs from guest and untrusted segments.
  • Enable DHCP audit logging and monitor for unexpected traffic patterns.

None of these replace the update. They buy time until you can reboot.

What comes next

Microsoft is the CVE Numbering Authority for this flaw, so the existence and severity are confirmed. Yet, technical details remain sparse. The advisory identifies a heap‑based buffer overflow but does not document the malformed packet, trigger, or exploitation method. That limits immediate attacker knowledge, but historically researchers quickly fill in the blanks by binary diffing. Administrators should assume that details will come to light.

Watch for an updated CISA advisory if active exploitation emerges. Microsoft may also re‑rate the severity or release an out‑of‑band update should the threat escalate. For now, the priority is clear: apply the July 2026 security update to every Windows DHCP server, verify the build number, and tighten network controls around those servers. The relative ease of exploitation and the criticality of the service make this patch one of the most urgent in the July release cycle.