MEDIUM 6.8

CVE-2026-45608: Windows DHCP Client Out-of-Bounds Read – Local Information Disclosure

A flaw in Windows DHCP Client allows a local attacker to read sensitive memory content without authentication. The vulnerability exists because the DHCP client fails to validate buffer boundaries before reading network configuration data, exposing information like cached credentials or system details to an attacker with local access. No user interaction is required, and the attacker does not need special privileges—standard user permissions are sufficient.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.8 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
Weaknesses (CWE)
CWE-125
Affected products
20 configuration(s)
Published / Modified
2026-06-09 / 2026-07-09

NVD description (verbatim)

Out-of-bounds read in Windows DHCP Client allows an unauthorized attacker to disclose information locally.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-45608 is an out-of-bounds read vulnerability (CWE-125) in the Windows DHCP Client service. The flaw permits local, unauthenticated access to memory regions beyond allocated buffer limits. The CVSS 3.1 vector (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H) reflects local attack surface, no complexity, zero privilege requirements, and impacts both confidentiality (partial information disclosure) and availability (potential denial of service through memory corruption). The vulnerability does not enable modification of system state or escalation to higher privilege levels.

Business impact

Organizations running affected Windows versions face localized data exposure risk where any user with local system access—including low-privileged accounts, service accounts, or compromised user sessions—can extract sensitive information cached or processed by the DHCP client. In environments with shared systems, terminal services, or containers, this creates a pathway for inter-user or inter-tenant data leakage. While the vulnerability requires local presence, it undermines confidentiality assumptions in multi-user or isolation-dependent environments. Availability impact is possible if memory corruption triggers crashes in the DHCP service, affecting network reconfiguration.

Affected systems

The vulnerability affects multiple Windows releases: Windows 10 (versions 1607, 1809, 21H2, 22H2), Windows 11 (versions 23H2, 24H2, 25H2, 26H1), and Windows Server editions (2012, 2016, 2019, 2022, 2025). Both client and server SKUs are impacted, meaning domain members, workstations, and server infrastructure all require attention. Verify your specific build numbers against Microsoft's official advisory, as patch availability and timing vary by release channel and support lifecycle.

Exploitability

Exploitation requires local system access but no elevated privileges or authentication. An attacker must execute code or trigger the vulnerable code path as any local user. The attack is deterministic—no user interaction, no race conditions, and low operational complexity make this practically exploitable in any local compromise scenario. However, the vulnerability does not provide remote code execution or privilege escalation; it is a stepping stone in a multi-stage attack chain (e.g., local user gathering cached credentials to pivot laterally). Notably, this vulnerability is not yet tracked in the CISA Known Exploited Vulnerabilities catalog, suggesting active exploitation in the wild has not been documented at scale, though exploitation is trivial once local access is obtained.

Remediation

Microsoft has released security updates addressing this flaw. Obtain the latest cumulative update or security-only patch for your Windows version from the Microsoft Update Catalog or Windows Update. Testing patches before broad deployment is essential, particularly for server environments; many organizations batch DHCP-related changes to minimize service disruption. Prioritize systems with high local user density (shared workstations, RDS hosts, container platforms) or those storing sensitive data locally.

Patch guidance

Consult the official Microsoft Security Updates page and the vulnerability advisory linked from CVE-2026-45608 to identify the correct patch version for your Windows build. Apply patches through your standard update mechanism (Windows Update, WSUS, or manual deployment). Stagger deployment across environments to test compatibility with DHCP-dependent services and applications. For Server editions, coordinate patching with change control and validate DHCP service functionality post-deployment. No workarounds are documented; patching is the primary mitigation.

Detection guidance

Monitor DHCP Client service crashes, restarts, or error logs (Event Viewer > System and Application logs) for abnormal behavior. Implement behavioral monitoring on local process execution—specifically, look for unusual calls to DHCP-related APIs or memory read operations from low-privileged contexts. Endpoint Detection and Response (EDR) tools can flag suspicious memory reads or service manipulation attempts. Network segmentation and user access controls limit the attack surface by restricting local login permissions to trusted accounts only. Audit privileged account usage and monitor for credential theft or unusual lateral movement post-compromise.

Why prioritize this

Despite a MEDIUM CVSS score, this vulnerability merits prompt remediation because it requires only local access (increasingly common in hybrid and cloud environments), affects multiple widely-deployed Windows versions spanning client and server platforms, and enables reliable information disclosure. In multi-user or containerized environments, it is a direct confidentiality risk. Organizations should patch within 30 days, prioritizing high-risk systems (servers, shared workstations, RDS infrastructure) before general rollout. The absence of KEV listing does not diminish urgency; it reflects a lag in public exploit detection, not a measure of severity.

Risk score, explained

The CVSS 3.1 score of 6.8 (MEDIUM) captures a local-only attack surface with no privilege barrier, balanced against partial confidentiality loss and no integrity impact. The high availability score component reflects potential denial of service through memory corruption. In isolation, MEDIUM may seem low, but contextual factors elevate actual organizational risk: (1) pervasive deployment across Windows 10/11 and Server versions; (2) low exploitation barrier in environments with multiple local users or compromised accounts; (3) information disclosure that can facilitate further attacks (lateral movement, credential theft). Your actual risk depends on system role, user density, and the sensitivity of data cached by DHCP.

Frequently asked questions

Can this vulnerability be exploited remotely?

No. The vulnerability requires local system access. It cannot be exploited over the network. However, if an attacker has already compromised a user account or obtained local shell access through another means, this flaw becomes immediately exploitable without additional privileges.

Will patching the DHCP client disrupt network connectivity?

Patching should not disrupt connectivity if deployed correctly. Microsoft's updates are designed to be backward-compatible. However, it is best practice to test patches in a non-production environment and deploy during a maintenance window, especially for critical servers. Monitor DHCP service status post-patch to ensure normal operation.

Does this affect cloud-hosted or virtualized Windows instances?

Yes. If your cloud or virtual infrastructure runs affected Windows versions, and if local user access is permitted (including service accounts or container escape scenarios), the vulnerability applies. Public cloud instances without local user access have reduced but non-zero risk if other services or container mechanisms allow local code execution.

What is the relationship between this CVE and DHCP spoofing or rogue DHCP servers?

None. This CVE is not about network-level DHCP attacks; it is a memory corruption issue on the client side. It does not enable spoofing or Man-in-the-Middle attacks. However, a successful exploit could disclose information that aids in other attacks, such as capturing cached authentication tokens.

This analysis is based on publicly available information current as of the publish and modification dates listed in the vulnerability record. Patch version numbers, timelines, and detailed technical indicators should be verified against the official Microsoft Security Update page and vendor advisories. SEC.co does not provide legal, compliance, or risk management advice. Organizations must conduct their own threat modeling, asset inventory, and patch testing aligned with their risk tolerance and operational requirements. No exploit code or weaponized proof-of-concept guidance is provided herein. This document does not constitute endorsement of any product or service. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).