VULNERABILITY OVERVIEW
A stack-based buffer overflow (CWE-121) in the Windows DHCP Client Service allows a network-adjacent or remote attacker to execute arbitrary code by sending a maliciously crafted DHCP response, with no user interaction required. ZDI notes a discrepancy between the CVSS vector (no privileges required) and the advisory text ('authenticated user'), advising defenders to treat it as unauthenticated per the CVSS. Because the DHCP client runs on every Windows endpoint, the blast radius is exceptionally wide; no public exploit exists but ZDI recommends immediate deployment of the patch.
CVSS BREAKDOWN
↗
Attack Vector
NETWORK
△
Attack Complexity
LOW
⚷
Privs Required
NONE
◈
User Interaction
NONE
⊕
Scope / Impact
UNCHANGED
C:H · I:H · A:H
AFFECTED VERSIONS
Windows 10, Windows 11, Windows Server 2016/2019/2022/2025 — all versions prior to June 2026 Patch Tuesday cumulative update; DHCP client is present on every supported Windows OSCITATIONS
- → https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-44815
- → https://www.zerodayinitiative.com/blog/2026/6/9/the-june-2026-security-update-review
- → https://thehackernews.com/2026/06/microsoft-patches-record-206-flaws.html
- → https://threat-modeling.com/microsoft-june-2026-patch-tuesday-critical-cves/