MEDIUM 5.5

CVE-2026-45634: Windows DHCP Server Out-of-Bounds Read Information Disclosure Vulnerability

CVE-2026-45634 is a memory reading flaw in Windows DHCP Server that allows a logged-in attacker to extract sensitive information from the system. An attacker with local access and standard user privileges can exploit an out-of-bounds read condition to leak data in memory, potentially exposing credentials, encryption keys, or other confidential information. This is not a remote vulnerability and does not enable code execution, but it can compromise the confidentiality of data stored on affected systems.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Weaknesses (CWE)
CWE-125
Affected products
20 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

Out-of-bounds read in Windows DHCP Server allows an authorized attacker to disclose information locally.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

An out-of-bounds read vulnerability exists in the Windows DHCP Server implementation (CWE-125). The flaw permits an authenticated local user with low privileges to read memory outside intended buffer boundaries, bypassing access controls on sensitive data. The vulnerability requires local access and valid credentials but does not require user interaction. The CVSS 3.1 score of 5.5 (MEDIUM severity) reflects a high confidentiality impact with no integrity or availability impact, restricted to local attack surface.

Business impact

Data disclosure through this vulnerability could expose sensitive system information stored in DHCP server memory. Organizations running DHCP services should assess whether internal user accounts have sufficient isolation controls. The impact depends on what credentials or secrets may be held in memory at exploitation time. While not an immediate operational risk, the confidentiality breach potential warrants prioritization in environments handling sensitive network configurations or where local account compromise is a credible threat model.

Affected systems

The vulnerability affects a broad range of Windows deployments: Windows 10 versions 1607, 1809, 21H2, and 22H2; Windows 11 versions 23H2, 24H2, 25H2, and 26H1; and Windows Server editions 2012, 2016, 2019, 2022, and 2025. Any organization running DHCP Server roles on these operating systems should be considered in scope. Server editions are of higher concern given their centrality to network infrastructure.

Exploitability

Exploitation requires local system access and valid credentials (low privilege sufficient). No remote exploitation path exists, and no known public exploits or active in-the-wild campaigns are currently tracked. The attack is deterministic once access is obtained—no user interaction is needed. The barrier to exploitation is primarily physical or logical access control; security posture around local user account management and workstation hardening directly affects risk.

Remediation

Microsoft security updates addressing this vulnerability should be applied as soon as they become available. Verify patch availability through the Microsoft Security Update Guide or your organization's patch management system. Prioritize Windows Server systems running DHCP roles, followed by client editions in high-value networks. Until patching, restrict local logon privileges on affected systems and enforce strong authentication controls for administrative access.

Patch guidance

Apply Windows updates released by Microsoft that address CVE-2026-45634. Verify the specific KB article and update version number via the official Microsoft Security Response Center advisory or your vendor documentation, as patch versions vary by Windows edition. Establish a phased rollout prioritizing DHCP servers, then sensitive workstations. Test patches in a non-production environment first to ensure compatibility with existing network configurations.

Detection guidance

Monitor local process execution for unusual DHCP Server process behavior or abnormal memory access patterns. Endpoint detection and response (EDR) tools should flag processes attempting to read DHCP service memory. Log successful and failed local logon events, particularly to privileged accounts. Network monitoring should correlate unusual DHCP server activity with user login events to identify potential reconnaissance or lateral movement.

Why prioritize this

Despite a MEDIUM CVSS score, prioritize patching within 30 days. The vulnerability is not currently exploited in the wild and does not enable remote attack or code execution, reducing immediate threat. However, the broad affected platform footprint and the sensitive role of DHCP servers in network infrastructure justify timely remediation. Organizations with strong local access controls and segmentation can defer urgency but should not skip patching.

Risk score, explained

The CVSS 3.1 score of 5.5 reflects the balance between high confidentiality impact (C:H) and the requirement for local authenticated access (AV:L, PR:L). No impact to integrity or availability limits the ceiling. The lack of current exploitation activity and absence of remote attack vectors prevent a higher severity rating, but the broad Windows footprint and potential for sensitive data exposure keep this above LOW severity.

Frequently asked questions

Can this vulnerability be exploited remotely?

No. The attack vector is strictly local (AV:L), requiring the attacker to have physical or logical access to the system and valid user credentials. Remote exploitation is not possible.

Do we need to patch Windows 10 home editions?

Only Windows 10 editions with DHCP Server role enabled are at risk. Home and Pro editions without active DHCP services are not vulnerable. However, if DHCP Server is installed, patching is advised to prevent misuse by internal users or during system transitions.

What should we do if we cannot patch immediately?

Enforce principle of least privilege by restricting local login to trusted administrators. Implement multi-factor authentication for remote access gateways. Monitor and audit local account activity, especially escalated operations. Segment DHCP servers from general user networks where possible.

Is there a workaround that eliminates the risk?

No complete workaround eliminates the vulnerability. Patching is the definitive remediation. Compensating controls such as privileged access management, local account restriction, and monitoring reduce exploitation likelihood but do not eliminate the flaw.

This analysis is based on available vulnerability information as of the publication date. Patch availability, CVSS scores, and affected version details should be verified against official Microsoft Security Update Guide advisories. SEC.co does not distribute patches or provide proof-of-concept code. For official guidance, consult Microsoft's security advisory and your organization's patch management policies. Always test patches in a non-production environment before production deployment. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).