On July 14, 2026, Microsoft's monthly security update included a fix for CVE-2026-50685, a remote code execution vulnerability in the Windows DHCP Server service. The bug stems from a double-free memory error and carries a CVSS 3.1 base score of 7.5, rated Important. While no exploits are known and the attack complexity is high, every organization running the DHCP Server role on Windows Server should apply the patch – and here's why.
The Double-Free That Demands a Patch
CVE-2026-50685 is a memory-management flaw in the DHCP Server service. When the service processes certain input, it can free the same memory allocation twice, a classic double-free condition. In the best case, this causes a service crash. In the worst case, a skilled attacker can manipulate heap memory to hijack execution flow and run arbitrary code in the context of the DHCP service.
Microsoft’s CVSS scoring paints a picture of a constrained but serious threat. The attack vector is network-based, meaning a remote attacker can aim at the DHCP server without needing physical access. No user interaction is required, and the impact on confidentiality, integrity, and availability is high. Yet the attack complexity is rated high, and exploitation requires an authorized attacker. That combination keeps the base score at 7.5 and the severity label at Important rather than Critical.
In practice, an attacker must already have some level of authenticated access to the network – but that could be a compromised user account, a malicious insider, or an actor who has pivoted from another system. From there, they would need to craft requests that reliably trigger the double-free. Microsoft describes known exploitation as unlikely, but the company has confirmed the vulnerability’s existence and credibility.
Why This Matters for Your Network
Windows DHCP Server is the go-to role for dynamically assigning IP addresses, DNS settings, gateways, and other configuration parameters. If it stops working, new devices can’t join the network, and existing leases can’t renew, causing widespread disruption. If it gets compromised, an attacker could gain a foothold on a critical infrastructure server, potentially moving laterally to domain controllers or other sensitive systems.
CVE-2026-50685 doesn’t require that your DHCP server be internet-facing. Any DHCP server on an internal network is reachable by any authenticated device – and that set may include workstations, printers, or IoT gear that have been compromised. Even a failed exploitation attempt that crashes the service would cause a denial of service, so the reliability risk cuts both ways.
The patch applies to all supported Windows Server releases, from Windows Server 2012 to Windows Server 2025. That includes Long-Term Servicing Channel (LTSC) editions and semi-annual channel releases. If you have the DHCP Server role installed, you are affected, regardless of how exposed or hidden you think the server is. Branch offices, secondary sites, and utility servers often host DHCP and are among the last to get patched – a mistake given this vulnerability.
How We Got Here: A Patch Tuesday Heavy on DHCP Networks
The July 2026 Patch Tuesday was unusually busy for DHCP fixes. As reported by BleepingComputer and the SANS Internet Storm Center, Microsoft addressed multiple remote code execution, elevation-of-privilege, and denial-of-service vulnerabilities affecting both DHCP Server and DHCP Client components. Some of those carried Critical ratings and even higher CVSS scores than CVE-2026-50685.
This context matters because the same cumulative update or security-only update that patches this double-free bug also closes other dangerous DHCP server flaws. You aren’t applying a patch just for one isolated, medium-severity issue; you’re resolving a bundle of DHCP attack vectors in one maintenance action. Skipping the update leaves you exposed to a wider set of threats.
Microsoft assigned report confidence as “Confirmed” for this CVE, meaning the company believes the vulnerability is real and has sufficient technical evidence to back the assessment. It doesn’t mean exploit code is public or in the wild – as of July 15, 2026, none had been detected – but attackers often reverse-engineer patches quickly. The window of safety is limited.
What to Do Now: A Practical Deployment Plan
Because there is no publicly documented workaround that preserves DHCP functionality, patching is the only viable long-term mitigation. Disabling the DHCP Server service would remove exposure but also break your network’s ability to hand out IP addresses – an emergency stopgap, not a solution.
Follow these steps to secure your DHCP servers:
- Inventory every DHCP server. Don’t assume. Run a script or use your configuration management tool to query all Windows servers for the installed DHCP Server role or the running
DHCPServerservice. Include branch offices, DMZ subnets, and test environments. - Review network segmentation. Confirm that DHCP management traffic (e.g., TCP/UDP port 67/68) and DHCP relay traffic are filtered so that only authorized devices can reach the server. This reduces the attack surface, but it’s not a replacement for the patch.
- Identify failover configurations. If you use DHCP failover or split scopes, plan the update to avoid taking both partners offline at the same time. A brief period with a single DHCP server is acceptable if clients have valid leases; design your maintenance window accordingly.
- Deploy the July 2026 security update. Use Windows Update, WSUS, Microsoft Configuration Manager, Azure Update Manager, or your patch management platform. For each server, select the appropriate cumulative update or security-only update for its Windows Server version and edition. The update was released on July 14, 2026.
- Reboot and verify. After the required restart, confirm that the DHCP Server service is running and that it is issuing leases. Test lease renewal, reservations, scope options, and DHCP relay traffic. Check the OS build number or update history to ensure the patch took effect – don’t rely solely on a patch-management “success” status.
- Monitor for anomalies. In the days following the update, watch for unusual crashes of the DHCP service, unexpected authentication events, or unusual DHCP traffic patterns. Microsoft Defender and your SIEM can be configured to alert on such activity.
No KB article is specified because this CVE is addressed through the normal monthly rollup. You can find the exact update package by consulting the Microsoft Security Update Guide, which maps each CVE to a KB number for your platform.
Outlook: Beyond the July Patch
The double-free bug in DHCP Server is a reminder that even “Important” vulnerabilities can carry an RCE impact and should not be dismissed. As attackers develop new techniques, yesterday’s high-complexity exploit can become tomorrow’s commodity tool. Microsoft will continue to harden Windows Server roles, but the onus is on administrators to maintain a regular patching cadence.
Keep an eye on the MSRC for any later changes to CVE-2026-50685’s status. If exploitation increases, Microsoft may reclassify the severity or publish additional guidance. For now, the safe course is clear: apply the July 2026 update, verify DHCP functionality, and move this CVE from your “to-do” list to your “done” list.