Microsoft’s July 14, 2026 security updates patch CVE-2026-50370, a critical remote code execution (RCE) flaw in the Windows DHCP Server service that affects every supported version from Windows Server 2012 through Windows Server 2025. An attacker on the same network segment—including those reaching the server via a relay agent—can exploit the vulnerability without authentication or user interaction, potentially seizing full control of the server and disrupting essential network services.

The Concrete Fix: Builds, KBs, and What Changed

The vulnerability stems from improper input validation that leads to a heap-based buffer overflow (CWE-122/CWE-20) when the DHCP Server service processes malformed network traffic. Microsoft rate the exploitability as “more likely,” with a CVSS 3.1 score of 8.8 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). While attacks had not been publicly confirmed at release, the patch removes the memory-corruption vector entirely.

Administrators must install the July 2026 cumulative security update to reach the corrected build for their server:

  • Windows Server 2025: KB5099536, build 26100.33158
  • Windows Server 2022: KB5099540, build 20348.5386
  • Windows Server 2019: build 17763.9020
  • Windows Server 2016: KB5099535, build 14393.9339
  • Windows Server 2012 R2: build 6.3.9600.23291
  • Windows Server 2012: build 6.2.9200.26226

Windows 10 Version 1607 and 1809 share servicing components with their server counterparts, so those client SKUs also receive the fix, though the operational risk centers on systems actually running the DHCP Server role. Server Core installations are equally vulnerable and require the same patch. Microsoft’s Security Update Guide confirms that a restart is necessary for the corrected binaries to take effect.

What This Means for Your Network

If you operate any Windows DHCP server—physical, virtual, or in failover clusters—this vulnerability represents an immediate priority. Although the attack vector is “adjacent” rather than internet-wide, DHCP relay agents routinely forward client traffic from guest Wi-Fi, contractor VLANs, VPN subnets, and development labs directly to your core DHCP service. An attacker who compromises a single workstation or wireless device on a forwarded network can craft malicious packets that reach the server over UDP port 67.

The exposure is broader than it first appears. Microsoft’s documentation and Tenable’s analysis both emphasize that DHCP is foundational: before clients obtain IP addresses, DNS servers, or gateway routes, they rely on this service. A successful exploit grants the attacker SYSTEM-level code execution, enabling them to intercept or redirect traffic, deploy ransomware, or pivot deeper into the network. The “adjacent” label simply means the attacker must be on a segment that can route DHCP traffic to the server—a condition met by countless real-world enterprise architectures.

Home users and small offices that do not intentionally run Windows DHCP Server are rarely affected. However, any device set up as a DHCP server (for example, on Windows Server Essentials or a lab machine) must be patched. The more pressing concern lies with IT teams managing dozens or hundreds of DHCP servers across multiple sites. In those environments, a single unpatched server creates a breach point that can destabilize entire subnets.

How We Got Here: A Large Patch Tuesday with a Critical Core Component

The July 2026 Patch Tuesday release was unusually voluminous, according to Tenable, which flagged CVE-2026-50370 among numerous DHCP Server and DHCP Client vulnerabilities. Microsoft’s own advisory marks the bug as “confirmed”—a technical designation meaning the vendor has verified the flaw’s existence and credibility, not that exploitation has been witnessed. Combined with the “more likely” exploit rating, this signals that public proof-of-concept code is a realistic near-term risk.

DHCP services have been a target before. Historical Windows DHCP flaws like CVE-2019-0725 and CVE-2018-8492 also allowed RCE through improper handling of network input. The persistence of input-validation weaknesses in such a widely deployed role underscores the difficulty of hardening broadcast-oriented protocols. Microsoft’s attempt to address both the parsing logic (CWE-20) and the underlying memory management (CWE-122) in one update suggests this patch required deeper engineering than a typical monthly rollup.

CISA initially recorded no known exploitation and classified the vulnerability as not readily automatable, while acknowledging total technical impact. Their assessment can—and often does—change as researchers reverse-engineer the patch and develop reliable attack chains. The window for proactive containment is now.

What to Do Now: Patch, Verify, and Audit DHCP Reachability

1. Install the July 2026 security update immediately.
Deploy the appropriate cumulative update to every Windows server with the DHCP role enabled. Use Windows Update, WSUS, Azure Update Manager, or your patch management platform. Do not wait for a regular maintenance window; the risk of an in-the-wild exploit appearing justifies an emergency change process.

2. Confirm the build number, not just the update status.
In Server Manager or via PowerShell (winver or [System.Environment]::OSVersion.Version), verify that each server meets the exact build threshold listed above. Servers behind on servicing stack updates or in a rebooting-pending state may show “installed” but still run the vulnerable binary until a restart completes.

3. Handle DHCP failover pairs with care.
Patch one partner, restart it, and confirm lease synchronization before updating the second node. Modern DHCP failover relationships can survive a brief outage on one member, but address distribution for phones, wireless APs, and IoT devices must not be interrupted.

4. Map and restrict every relay path.
Audit all routers, layer-3 switches, and firewalls that forward DHCP requests (via IP helper addresses or DHCP relay agents) to your Windows servers. Create an inventory of source VLANs—including guest, contractor, industrial, and development segments. Where possible, segment these networks or apply DHCP snooping and switch-port security to limit which endpoints can originate DHCP traffic. This reduces the attack surface even before patching, though it is only a supplemental measure; the vulnerability lives in the Windows service itself.

5. Monitor for unusual DHCP activity.
Enable DHCP audit logging on your servers and review logs for unexpected DISCOVER or REQUEST floods, malformed option fields, or traffic from unknown relay agents. While signature-based detection of CVE-2026-50370 is unlikely without public exploit code, anomalous DHCP patterns can signal reconnaissance.

The Road Ahead: What to Watch

All eyes now turn to the research community. With a patch released and “more likely” exploitation, reverse engineering of the updated binary will likely produce a working exploit within weeks. Security firms and CISA will update their advisories if active attacks materialize. The immediate milestone is simple: every DHCP server must be on the corrected build before that analysis becomes an executable tool.

Microsoft’s next Patch Tuesday may include additional hardening if post-release testing reveals related weaknesses. Meanwhile, DHCP remains an attractive target—as a service that runs with high privilege, listens on a well-known port, and processes unsolicited input, it will continue to draw scrutiny. The lesson of CVE-2026-50370 is that adjacent-network attacks deserve the same urgency as internet-facing ones when the service is this critical. Patch now, audit your relay topology, and treat DHCP for what it is: the first link in every connected device’s chain of trust.