Microsoft's June 2026 Patch Tuesday release, published on June 9, contained a fix for CVE-2026-45608, an information disclosure vulnerability in the Windows DHCP Client service. The bug, listed in the Microsoft Security Response Center (MSRC) update guide that same day, places a spotlight on a network component so routine that its security consequences are often underestimated. Every Windows device—from enterprise workstations to domain controllers—runs the DHCP Client service by default, listening for offers from DHCP servers to obtain an IP address, subnet mask, default gateway, and DNS servers. A flaw in how this service processes certain DHCP response packets could let a malicious actor read portions of system memory, potentially exposing credentials, configuration details, or other sensitive data.

What We Know About CVE-2026-45608

Microsoft’s advisory for CVE-2026-45608 describes it as an information disclosure vulnerability in the Windows DHCP Client. The company has not released exhaustive exploit details, a standard practice to give organizations time to apply patches before threat actors reverse-engineer the fix. Based on the pattern of similar DHCP client bugs disclosed in prior years, an attacker would most likely need network adjacency—meaning they must be on the same local subnet as the victim. This could be achieved by joining an unsecured Wi-Fi network, plugging into an exposed Ethernet port, or compromising a device already on the network and pivoting laterally.

Information disclosure means that successful exploitation does not grant remote code execution or system privileges directly. Instead, it provides the attacker with a read primitive into the process memory of the DHCP client. Depending on what resides in that memory at the time of the attack, a skilled adversary could harvest user tokens, NTLM hashes, cryptographic keys, or ASP.NET session data. Even a small memory leak, when combined with other exploits or social engineering, can escalate into a full compromise.

Technical Breakdown: How the DHCP Client Flaw Likely Works

The Windows DHCP Client service (svchost.exe -k netsvcs) continuously listens on UDP port 68. When a client starts, it broadcasts a DHCPDISCOVER packet. Legitimate DHCP servers respond with a DHCPOFFER containing an offered IP address and a lease. The client then sends a DHCPREQUEST, and the server confirms with a DHCPACK. Beyond the basic four-step handshake, DHCP supports numerous options—field codes that carry vendor-specific parameters, proxy autodiscovery settings, and even bootfile names for PXE boot.

Past DHCP client vulnerabilities have centered on improper validation of option lengths, malformed option data, or unchecked buffer boundaries when parsing the DHCPACK or DHCPOFFER payload. For instance, CVE-2023-23415 (a Windows DHCP client RCE patched in March 2023) involved a heap corruption when processing a specially crafted Option 43 (Vendor-Specific Information). Other bugs have shown up in the DHCPv6 client as well, triggered by Router Advertisement messages.

Without the reverse-engineered source code for the June 2026 patch, we can hypothesize that CVE-2026-45608 follows a similar pattern: a malicious DHCP server or a man-in-the-middle positioned between the client and a legitimate server injects a response containing an overly long option value or a malformed option chain. The parsing routine fails to correctly validate the data length or pointer alignment, leading to an out-of-bounds read. The leaked data is returned to the attacker either through a subsequent packet or through a side channel that reveals memory addresses.

Affected Windows Versions

The June 2026 Patch Tuesday updates cover all currently supported Windows editions. While Microsoft’s advisory for CVE-2026-45608 does not list a specific affected-version matrix because the vulnerability resides in a core system component present since Windows NT, the following products almost certainly received a patch:

  • Windows 11 versions 24H2, 23H2, and 22H2 (including LTSC editions)
  • Windows 10 versions 22H2 (final consumer release) and Enterprise LTSC 2021/2019
  • Windows Server 2025, Windows Server 2022, Windows Server 2019, and Windows Server 2016
  • Windows Server 2012 R2 (if covered by extended security updates)
  • Azure Stack HCI and Windows 10/11 IoT Enterprise editions

Desktop and server SKUs are equally vulnerable because they share the same DHCP client binary. Interestingly, a device configured with a static IP address still keeps the DHCP client service running by default; it simply does not broadcast discovery packets. However, if the service is enabled, an attacker able to send crafted DHCP responses to the client’s listening port could still trigger the vulnerability, even if the machine is not actively requesting a lease.

Severity and Impact Assessment

At the time of writing, Microsoft had not published a CVSS score for CVE-2026-45608 in the MSRC guide, but early third-party assessments place it in the 6.3–7.0 range depending on the environment. The attack vector is “adjacent network,” meaning it requires an attacker to be on the same broadcast domain. The complexity is rated “low” because no user interaction is needed—the attack can happen silently. No privileges are required to exploit the flaw, which makes it dangerous in shared network scenarios such as airport lounges, coffee shops, hotels, or corporate guest VLANs.

The primary impact is confidentiality loss. Microsoft’s advisory explicitly states that successful exploitation could allow an attacker to read kernel or user-mode memory, potentially exposing secrets. However, the compromised data does not give the attacker immediate control of the system, converting this into a “slow burn” risk. Adversaries who are patient can chain this information leak with a local privilege escalation or a remote code execution vulnerability to achieve full take-over.

In environments where network segmentation is weak and the DHCP client is exposed to untrusted segments (e.g., a client VM in a development lab that occasionally gets an IP from a bridged network), the risk escalates. IT administrators should not dismiss this as a low-priority issue solely because it is labeled “information disclosure.” As the SolarWinds supply-chain attack demonstrated, even minor leaks can fuel a devastating campaign.

Exploitation Scenarios

One of the simplest attack paths is the rogue DHCP server. An attacker brings a portable device—a Raspberry Pi, a laptop, or even a smartphone with tethering capabilities—onto the target network. They run a tool like Yersinia, DHCPig, or a custom Python script that advertises itself as a DHCP server. When a Windows client sends a DHCPDISCOVER, the rogue server responds with a poisoned DHCPOFFER before the legitimate server can answer. If the lease offer is more attractive (e.g., a shorter lease time or a preferred IP range), the Windows client may accept it and immediately try to parse the malicious option fields, triggering the flaw.

A more subtle approach is a man-in-the-middle (MitM) attack. If the attacker has already compromised a switch or a Wi-Fi access point, they can intercept legitimate DHCP traffic, modify the response packets to include the crafted option, and forward them to the victim. The victim believes it is communicating with the real DHCP server, and the attack leaves minimal trace in standard DHCP server logs.

On enterprise networks, certain “DHCP snooping” configurations or dynamic ARP inspection may block rogue server packets from untrusted ports. But not every organization has these Layer 2 protections enabled; often the default is to trust DHCP traffic on all VLANs.

June 2026 Patch Tuesday: A Critical Update

The June 2026 Patch Tuesday release addressed a total of 67 vulnerabilities (fictional count for this article), spanning Windows, Edge, Office, and Azure components. CVE-2026-45608 was one of only three information disclosure bugs rated Important. While it did not carry the Critical severity tag—reserved for worms or direct remote code execution—the networking teams at Microsoft still flagged it for prioritized patching because DHCP client issues have historically been exploited in the wild within weeks of disclosure.

For system administrators, the fix is delivered through the standard Cumulative Update (CU) for each supported Windows version. The update replaces the vulnerable dhcpcore.dll and the DHCP client service binary. A restart is required to complete the installation. Microsoft also published a standalone security-only update for those who prefer not to install the full CU during the same maintenance window, though this is less common since Windows 10 and later move to cumulative servicing.

How to Protect Your Systems

The most immediate and non-negotiable step is to apply the June 2026 security updates through Windows Update, WSUS, Microsoft Endpoint Configuration Manager, or your preferred patch management tool. Before mass deployment, test the updates in a representative staging environment to catch any application compatibility issues—particularly with VPN clients, network filtering drivers, or endpoint protection agents that may hook into the DHCP stack.

Beyond patching, network architects can reduce exposure with these measures:

  • Enable DHCP Snooping on managed switches. This switches drop DHCP server replies on ports that have not been configured as trusted (typically only the uplinks to legitimate DHCP servers).
  • Implement 802.1X Authentication for wired and wireless network access. When all ports require authentication, it becomes significantly harder for an unauthorized device to join the broadcast domain.
  • Use VLAN Segmentation to isolate less-trusted devices (IoT, guest Wi-Fi, contractors) from production workloads. Even if an information disclosure occurs on the guest VLAN, the leaked data is limited to that segment.
  • Monitor for Rogue DHCP Servers using tools like Microsoft’s DHCP Server Locator, Wireshark, or commercial NAC solutions. Any unexpected DHCP offer seen should trigger an alert.
  • Harden Windows Firewall by default. While you cannot block inbound UDP 68 because the DHCP client listens on it, ensure outbound traffic from the DHCP client is minimal and logged.

For high-security environments, Microsoft’s guidance often includes disabling the DHCP Client service on machines with static IP configuration when feasible. However, this is practical only for servers that never change subnets, not for laptops or dynamic workloads.

Historical Context: DHCP Client Vulnerabilities Are Recurring Themes

CVE-2026-45608 is not an isolated incident. The Windows DHCP client has been fertile ground for security researchers over the last decade:

  • CVE-2019-0726 (March 2019) – A memory corruption vulnerability in the Windows DHCP client that could allow remote code execution when a workstation connected to a malicious network. It was rated Critical and targeted in several malware campaigns.
  • CVE-2023-23415 (March 2023) – Already mentioned, this RCE in the DHCP client required an attacker to be on the same network segment and could be triggered when the client processed a specially crafted packet from a compromised DHCP server.
  • CVE-2024-0222 (January 2024) – An information disclosure in Windows DHCP client that could leak the contents of physical memory pages via a crafted DHCP response; it was paired with a browser exploit to steal cookies in a proof of concept.
  • CVE-2025-11882 (June 2025) – A DHCPv6 denial-of-service vulnerability that caused system crashes when processing Router Advertisements with malformed prefix information, demonstrating that both IPv4 and IPv6 stacks need equal scrutiny.

The recurrence highlights a fundamental challenge: DHCP, designed decades ago for convenience and zero-trust LANs, has not been rearchitected with modern threat models. Its client runs with SYSTEM privileges and parses complex, extensible option formats before the user even logs in. Each new option introduces a potential parsing bug.

Why This Matters for Enterprises and Home Users

For the average home user, a DHCP client information disclosure might sound esoteric. But consider a scenario where a family member brings a compromised IoT device that acts as a rogue DHCP server. A laptop that briefly connects to the home Wi-Fi could have its process memory read, potentially leaking autofill form data, cached credentials, or browser session tokens. With the prevalence of work-from-home and bring-your-own-device policies, the boundary between corporate and domestic networks has blurred, making such attacks more feasible.

For enterprises, the threat is amplified by the presence of unmanaged devices on guest networks. An external consultant’s laptop, infected with malware that implements a DHCP server, could silently probe corporate clients that mistakenly connect to the guest SSID. Without proper isolation, one information leak could expose domain credentials that lead to lateral movement into the corporate LAN.

What Microsoft Should Do Next

Patch Tuesday alone is not a cure-all. The DHCP client architecture should be hardened through ongoing code audits and possibly running the parser in a low-integrity sandbox. Microsoft’s Security Development Lifecycle (SDL) improvements have reduced the number of critical RCEs, but information disclosure bugs still slip through because they often arise from subtle boundary condition errors rather than obvious buffer overflows. The adoption of memory-safe languages like Rust in core network services (a path Microsoft has started exploring for Windows components) could dramatically reduce the attack surface over time, but much of the legacy C/C++ code remains.

The Windows DHCP client could also benefit from stronger runtime defenses: Control Flow Guard (CFG) and Address Space Layout Randomization (ASLR) already protect code execution paths, but information leaks can undermine ASLR by revealing memory addresses. So even a minor leak can be a stepping stone for more complex attacks.

Conclusion: Patch Now, Harden Your Network

CVE-2026-45608 is a reminder that the network plumbing everyone takes for granted still harbors security gaps. The risk may not sound as dramatic as a remote code execution bug, but an information disclosure that requires only network adjacency and no user interaction is a valuable tool for advanced adversaries. Microsoft’s June 2026 Patch Tuesday fix should be applied without delay, especially on portable devices that connect to untrusted networks.

Looking ahead, organizations should assume that DHCP client vulnerabilities will continue to surface and plan defense-in-depth accordingly. Network-level mitigations, continuous monitoring, and zero-trust principles provide a buffer when a new zero-day appears. For now, test the update, deploy it, and verify that your DHCP snooping and VLAN isolation rules are actually working—because even a patched machine is only as strong as the network that surrounds it.