A heap-based buffer overflow in Windows DHCP Server (CVSS 9.8) lets an unauthenticated attacker execute code remotely over the network across a broad range of supported Windows Server and client releases.
What Is It
CVE-2026-50518 is a heap-based buffer overflow (CWE-122) in Windows DHCP Server. Per Microsoft's advisory, the flaw "allows an unauthorized attacker to execute code over a network." It carries a CVSS 3.1 base score of 9.8 (CRITICAL) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, meaning network-reachable, low attack complexity, no privileges, and no user interaction required, with high impact to confidentiality, integrity, and availability. The CVE was published on 2026-07-14 and is currently in "Awaiting Analysis" status at NVD.
Why It Matters
The combination of no authentication, no user interaction, and network-based code execution makes this a top-priority patching target. DHCP servers are core infrastructure typically deployed on domain controllers or dedicated Windows Servers, so successful exploitation could hand an attacker code execution on high-value systems. The supplied source material contains no CISA KEV entry, so there is no confirmation of active exploitation at this time.
What's Vulnerable
The affected products (all x64-based unless noted) include:
- Windows 10 Version 1607 and 1809 (32-bit and x64)
- Windows Server 2012 and 2012 R2, including Server Core installations
- Windows Server 2016, 2019, 2022, and 2025, including Server Core installations for 2016, 2019, and 2025
Each product is affected below the specific fixed build listed in the NVD record (for example, Server 2025 below build 10.0.26100.33158 and Server 2016 below 10.0.14393.9339).
Patch Status
Microsoft has published fixed builds for each affected product via the MSRC update guide. Administrators should update DHCP servers to at or above the fixed build for their respective Windows version. No CISA KEV due-date or required-action directive is present in the supplied source material.
Sources
- Microsoft MSRC, CVE-2026-50518: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-50518
- NVD, CVE-2026-50518: https://nvd.nist.gov/vuln/detail/CVE-2026-50518