CVE-2026-44815: DHCP Client Service Remote Code Execution Vulnerability
Stack-based buffer overflow in Windows DHCP Client allows an unauthorized attacker to execute code over a network.
Metrics
- CVSS v3.1
- 9.8
- Severity
- CRITICAL
- Fixed in
- 6.2.9200.26132
- Affected Products
- 20
HarborGuard Analysis
Synopsis
Stack-based buffer overflow in the Windows DHCP Client Service allows an unauthenticated remote attacker to execute arbitrary code on affected systems. The vulnerability is reachable over the network with no authentication and no user interaction required, making it exploitable by any attacker who can send crafted DHCP responses to a target host. Successful exploitation gives the attacker full control over the affected system, including the ability to read, modify, or destroy data and disrupt services. Patched-image rebuilds at the fix versions are available on HarborGuard for environments running affected Windows versions.
HarborGuard Coverage
Detection of CVE-2026-44815 is available across every HarborGuard environment, with the CVE matched against images in customer registries and CI/CD pipelines within minutes of publication. Coverage extends to custom-built images that include affected Windows base layers, not just images pulled directly from upstream registries.
AvailableHarborGuard is capable of scoring this CVE at its published CVSS v3.1 severity of 9.8 (Critical) and applying per-environment compliance policy weighting to prioritize alert routing. Findings are routable to the appropriate team inbox within each customer organization based on workload ownership and policy configuration.
AvailableA patched-image rebuild at the applicable fix version becomes available on HarborGuard once an affected image is identified, with fixes spanning versions 6.2.9200.26132 through 10.0.26100.8655 depending on the Windows release in use. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads; for Critical-severity issues, median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker must be able to reach the target over the network, specifically by sending malicious DHCP response packets to the vulnerable host.
- AuthenticationNot required
No credentials or account of any kind are required; the attacker sends unauthenticated network packets to trigger the overflow.
- Victim interactionNot required
No user action is needed; the DHCP Client Service processes malicious packets automatically without any interaction from a logged-in user.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special timing, race conditions, or environmental setup beyond network reachability.
Blast Radius
- Attacker executes arbitrary code in the context of the DHCP Client Service, which typically runs with SYSTEM-level privileges on Windows hosts.
- All files, credentials, and secrets stored on the compromised host become readable to the attacker.
- The attacker can modify or delete persisted data, install payloads, or alter system configuration.
- The attacker can crash or disable the host or services running on it, causing a denial of service.
How HarborGuard Handles This
Available on HarborGuard: detection, triage, and patched-image rebuild capability for CVE-2026-44815 across all customer environments. For images found to include an affected Windows base layer, HarborGuard identifies the precise fix version required from the set of published fixes (ranging from 6.2.9200.26132 to 10.0.26100.8655 depending on the Windows release). Where compliance policy permits, customers with auto-remediation enabled receive a rebuilt image at the appropriate fix version, an automated regression-test run, and a pull request opened against affected workloads. Given the Critical severity and network-exploitable, zero-authentication nature of this vulnerability, prioritizing auto-remediation or manual upgrade of affected base images is strongly warranted. Environments that cannot immediately apply a patch should consider network-policy controls that restrict DHCP traffic to trusted relay agents only, reducing the attack surface while a rebuild is prepared.
Fix available
- Microsoft / Windows 10 Version 1607< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows 10 Version 1809< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows 10 Version 21H2< 10.0.19044.7417 (from 10.0.19044.0)
- Microsoft / Windows 10 Version 22H2< 10.0.19045.7417 (from 10.0.19045.0)
- Microsoft / Windows 11 version 23H2< 10.0.22631.7219 (from 10.0.22631.0)
- Microsoft / Windows 11 Version 23H2< 10.0.22631.7219 (from 10.0.22631.0)
- Microsoft / Windows 11 Version 24H2< 10.0.26100.8655 (from 10.0.26100.0)
- Microsoft / Windows 11 Version 25H2< 10.0.26200.8655 (from 10.0.26200.0)
- Microsoft / Windows 11 version 26H1< 10.0.28000.2269 (from 10.0.28000.0)
- Microsoft / Windows Server 2012< 6.2.9200.26132 (from 6.2.9200.0)
- Microsoft / Windows Server 2012 (Server Core installation)< 6.2.9200.26132 (from 6.2.9200.0)
- Microsoft / Windows Server 2012 R2< 6.3.9600.23228 (from 6.3.9600.0)
- Microsoft / Windows Server 2012 R2 (Server Core installation)< 6.3.9600.23228 (from 6.3.9600.0)
- Microsoft / Windows Server 2016< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows Server 2016 (Server Core installation)< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows Server 2019< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows Server 2019 (Server Core installation)< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows Server 2022< 10.0.20348.5256 (from 10.0.20348.0)
- Microsoft / Windows Server 2025< 10.0.26100.32995 (from 10.0.26100.0)
- Microsoft / Windows Server 2025 (Server Core installation)< 10.0.26100.32995 (from 10.0.26100.0)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C