Microsoft’s July 14, 2026 security update patches a critical remote code execution flaw in Windows DHCP Server that could let attackers with low privileges hijack entire networks. CVE-2026-48564 carries an 8.8 CVSS score and affects every supported Windows Server version from 2012 to 2025. While exploitation is currently considered less likely, administrators can’t afford to wait — this update also closes two even more dangerous unauthenticated DHCP flaws with 9.8 ratings.
What Microsoft Fixed in the July 14 Update
The vulnerability, identified as CVE-2026-48564, is a heap-based buffer overflow (CWE-122) in the Windows DHCP Server service. Microsoft confirmed the flaw on July 14 and stated that an attacker who successfully exploited it could achieve remote code execution on the target server. The attack requires low-level privileges, which tempers the severity slightly, but the impact on confidentiality, integrity, and availability remains high.
According to Microsoft’s advisory, the CVSS 3.1 vector is AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. That means an attacker can reach the vulnerable component over a network, the attack is of low complexity, no user interaction is needed, and only low privileges are required. The scope is unchanged, so the attacker’s access is contained to the vulnerable component’s security context, but that component is a DHCP server — a cornerstone of network infrastructure.
Microsoft released security updates for Windows Server 2012 through Windows Server 2025, including both Desktop Experience and Server Core installations. The corrected builds are:
- Windows Server 2012: 6.2.9200.26132 or later
- Windows Server 2012 R2: 6.3.9600.23228 or later
- Windows Server 2016: 10.0.14393.9339 or later
- Windows Server 2019: 10.0.17763.9020 or later
- Windows Server 2022: 10.0.20348.5386 or later
- Windows Server 2025: 10.0.26100.33158 or later
Windows 10 versions 1607 and 1809 are also listed as affected because they share servicing branches with Server 2016 and Server 2019 respectively, but the risk is limited to those systems that have the DHCP Server role installed.
The National Vulnerability Database is currently enriching its entry for CVE-2026-48564, having received the record directly from Microsoft. No public proof-of-concept code exists, and the Zero Day Initiative reported no known public disclosure or active exploitation as of the July release.
Why a Low-Privilege DHCP Flaw Still Demands Urgent Action
The "exploitation less likely" label that Microsoft attached to this CVE is an engineering assessment, not a promise. A low-privilege requirement raises the bar compared to an unauthenticated drive-by attack, but it does not neutralize the threat. An attacker who has already compromised a low-level domain account, a management workstation, or a rogue device on the network could potentially weaponize CVE-2026-48564 to escalate from a foothold to full control of a DHCP server.
DHCP servers are uniquely positioned for lateral movement. They assign IP addresses, default gateways, DNS servers, and other configuration to every endpoint on a subnet. If an attacker can run code on a DHCP server, they could manipulate leases, insert malicious DNS entries, redirect traffic, or simply knock the service offline — a denial-of-service attack with far-reaching consequences.
Microsoft assigns high ratings to all three CIA triad dimensions for this CVE. Successful exploitation could expose data accessible to the DHCP service, allow unauthorized changes to configurations, and disrupt operations entirely. Even if the technical details remain undisclosed for now, memory corruption flaws in network-exposed services have a history of evolving into practical exploits once researchers begin diffing patches.
The Bigger Picture: A Cluster of DHCP Vulnerabilities in July 2026
CVE-2026-48564 did not ship in isolation. Microsoft’s July 2026 Patch Tuesday included nine DHCP-related vulnerabilities, five of them rated critical. Among them are two additional DHCP Server remote code execution flaws — CVE-2026-50518 and CVE-2026-56159 — that scored 9.8 because they require no authentication at all. Another critical RCE, CVE-2026-50370, also scored 8.8. The remaining fixes address DHCP client privilege escalation and server denial-of-service issues.
This clustering changes the risk calculus. An administrator who focuses solely on CVE-2026-48564 might deprioritize the July update because of the privilege requirement, but that would leave two unauthenticated, network-exploitable RCEs unaddressed. The same patch rollup that fixes CVE-2026-48564 also closes those more dangerous gaps.
How We Got Here: DHCP’s Critical Role and Persistent Risk
DHCP is one of the oldest and most fundamental networking protocols, responsible for dynamically assigning IP configuration to devices when they connect. Windows has included a DHCP Server role since the early NT days, and it is deeply integrated into Active Directory and network policy enforcement. Because it must operate as a trusted service, it typically runs with elevated system privileges and is exposed, at least indirectly, to every client on the network.
Despite its importance, DHCP has not been a frequent target of major RCE vulnerabilities in recent years — the last wave of critical DHCP flaws was patched in 2019. Microsoft’s 2026 advisories suggest a renewed research focus on this attack surface. The concentration of so many critical DHCP vulnerabilities in a single Patch Tuesday hints at coordinated internal auditing or external researcher engagement.
For environments still running Windows Server 2012 or 2012 R2, the risk is compounded by their extended support status. Those servers will only receive security updates if the organization has a valid Extended Security Updates (ESU) subscription. An unpatched, internet-facing DHCP server from the pre-2016 era is a particularly attractive target, even without a public exploit.
What to Do Now: Prioritize, Patch, and Harden
The immediate step is straightforward: identify every Windows machine running the DHCP Server role and verify that it has the July 2026 security update installed. That includes physical servers, virtual machines, and even Windows 10/11 workstations that might have the role enabled for lab or temporary purposes.
For update deployment, group your servers into priority waves:
- Critical: Public-facing DHCP servers, domain controllers co-hosting DHCP, and servers in DMZ or untrusted segments.
- High: All remaining production DHCP servers, including failover partners.
- Moderate: Non-production DHCP servers and any system where the role is installed but not actively used.
After applying the update, restart the DHCP Server service and conduct a quick validation:
- Confirm that clients can obtain new leases and renew existing ones.
- Spot-check scope options, reservations, and address pool consistency.
- If using DHCP failover, verify replication and partner health in the DHCP management console.
- For Active Directory–authorized DHCP servers, ensure the server remains authorized and registered.
Beyond patching, reinforce your network’s defenses with these measures:
- Segment DHCP traffic: Restrict DHCP broadcast and relay traffic to only authorized network segments. Block DHCP traffic from unrestricted VLANs or guest networks.
- Lock down server management: Use dedicated management interfaces, jump hosts, or Privileged Access Workstations (PAWs). Disable remote RDP or WinRM access from untrusted subnets.
- Monitor for anomalies: While no specific indicators of compromise (IOCs) exist for CVE-2026-48564, review DHCP server event logs for unexpected service crashes, unauthorized configuration changes, or failed lease requests from unknown MAC addresses.
- Audit privileges: Ensure that only minimal, necessary accounts have the rights to manage DHCP or log into DHCP servers. Remove any stale or overprivileged service accounts.
If you cannot patch immediately, consider temporarily disabling the DHCP Server service on non-essential hosts and relying on alternate DHCP services until the update can be applied — but weigh the operational impact carefully.
What to Expect Next
Microsoft’s “exploitation less likely” rating will likely hold for a short while, but history shows that patch diffing accelerates the disclosure curve. Security researchers, threat intelligence firms, and possibly malicious actors will soon compare the updated binaries to find the buffer overflow and determine how to trigger it. A working proof-of-concept could appear within weeks.
At that point, the risk profile of CVE-2026-48564 will escalate even if Microsoft’s original analysis doesn’t change. Organizations that deferred the update will face a higher likelihood of active scanning and intrusion attempts, particularly if a public exploit lands in frameworks like Metasploit or Cobalt Strike.
For now, the safest path is clear: treat the July 2026 security update as a high-priority rollout and ensure that every DHCP server in your inventory reaches a corrected build before the next monthly cycle. The low-privilege requirement may buy you a little time, but a zero-day exploit chain that pairs a credential-stealing technique with CVE-2026-48564 could appear faster than any change-control process.