SYS::ONLINE
Wasteland.
Briefs1204
Issues19
SinceFeb 2026
LIVE
⚡ Active KEV CVE-2026-50518 2026-07-14

CVE-2026-50518: Critical Unauthenticated RCE in Windows DHCP Server

"A heap-based buffer overflow in Windows DHCP Server (CVSS 9.8) lets an unauthenticated attacker execute code remotely over the network across a broad range of supported Windows Server and client releases."

A heap-based buffer overflow in Windows DHCP Server (CVSS 9.8) lets an unauthenticated attacker execute code remotely over the network across a broad range of supported Windows Server and client releases.

What Is It

CVE-2026-50518 is a heap-based buffer overflow (CWE-122) in Windows DHCP Server. Per Microsoft's advisory, the flaw "allows an unauthorized attacker to execute code over a network." It carries a CVSS 3.1 base score of 9.8 (CRITICAL) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, meaning network-reachable, low attack complexity, no privileges, and no user interaction required, with high impact to confidentiality, integrity, and availability. The CVE was published on 2026-07-14 and is currently in "Awaiting Analysis" status at NVD.

Why It Matters

The combination of no authentication, no user interaction, and network-based code execution makes this a top-priority patching target. DHCP servers are core infrastructure typically deployed on domain controllers or dedicated Windows Servers, so successful exploitation could hand an attacker code execution on high-value systems. The supplied source material contains no CISA KEV entry, so there is no confirmation of active exploitation at this time.

What's Vulnerable

The affected products (all x64-based unless noted) include:

Each product is affected below the specific fixed build listed in the NVD record (for example, Server 2025 below build 10.0.26100.33158 and Server 2016 below 10.0.14393.9339).

Patch Status

Microsoft has published fixed builds for each affected product via the MSRC update guide. Administrators should update DHCP servers to at or above the fixed build for their respective Windows version. No CISA KEV due-date or required-action directive is present in the supplied source material.

Sources