Microsoft released a critical security patch on July 14, 2026 that closes a use-after-free vulnerability in the Windows DHCP Client, a core networking component present on nearly every Windows machine. Rated 8.4 on the CVSS scale and labeled “exploitation more likely” by Microsoft, CVE-2026-54128 could allow an attacker to execute arbitrary code without any privileges once they gain local access to an unpatched system.
What the July patch actually fixes
The vulnerability tracked as CVE-2026-54128 sits inside the Windows DHCP Client service—the software that automatically requests and configures IP addresses from a network’s DHCP server. Microsoft’s advisory describes it as a CWE-416 use-after-free error, a class of memory-corruption bug where code continues to reference memory that has already been released. If an attacker can trigger the flaw, they risk corrupting the client’s memory in a way that lets them hijack code execution, potentially gaining full control of the machine.
Microsoft’s own CVSS vector for the vulnerability is CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. Despite the advisory’s title calling it a “Remote Code Execution” vulnerability, the vector’s attack vector (“AV:L”) points to local exploitation. That discrepancy has prompted careful reading by security analysts: while the impact is remote in the sense that code execution happens on the target, the currently documented path requires the attacker to already be on the machine or have some other local reach. Microsoft hasn’t yet published the exact method by which an unauthorized attacker would get to that local code-execution step, so assumptions about network-borne DHCP packet attacks are premature.
What is certain, however, is the scope. Microsoft lists affected versions spanning over a decade of Windows releases, including:
- Windows 10 1607, 1809, 21H2, and 22H2
- Windows 11 24H2, 25H2, and 26H1 on both x64 and Arm64
- Windows Server 2012 and 2012 R2 (including Server Core)
- Windows Server 2016 and 2019 (including Server Core)
- Windows Server 2022 and 2025 (including Server Core)
For each, the fix arrives through the standard cumulative update for July 2026. For example, Windows 11 24H2 and 25H2 users will receive builds 26100.8875 and 26200.8875 via KB5101650; Windows Server 2022 climbs to build 20348.5386 with KB5099540; Windows 10 21H2/22H2 get builds 19044.7548 and 19045.7548.
What the flaw means for your computers
For home users, the immediate worry is low. Absent an easy network attack vector, this isn’t a wormable flaw that can jump from one PC to another over the internet. But the low complexity and lack of required user interaction mean that if you’re tricked into running a malicious installer, opening a compromised document, or visiting a website that pulls off a browser exploit, the DHCP Client bug could be used as a secondary payload to move from limited access to full system compromise without a privilege-escalation step.
Businesses and IT administrators face a broader concern. The DHCP Client runs on every Windows endpoint and server, regardless of whether the machine acts as a DHCP server. This means the patching surface is essentially the entire Windows fleet. Moreover, the “exploitation more likely” assessment from Microsoft should nudge this update ahead of less urgent patches in any staged rollout. The fact that no public exploits or active attacks were known at release is reassuring, but the nature of a critical memory-corruption bug in such a foundational component suggests attackers will study the patch to develop weaponized code quickly.
Developers and researchers who maintain custom or legacy Windows builds must also take note. Virtual machines, disaster-recovery images, point-of-sale terminals, and industrial PCs often linger unpatched longer than standard corporate laptops. Offline systems are particularly tricky because they can’t fetch updates; they’ll need manual servicing before they rejoin any network.
How we arrived here
CVE-2026-54128 was disclosed as part of Microsoft’s regular July 2026 Patch Tuesday, a monthly ritual that delivers a slew of fixes across the Windows ecosystem. This particular bug was discovered through internal research or an undisclosed external report—Microsoft doesn’t credit a specific finder in the initial advisory. The vulnerability sat undetected in the DHCP Client code for years, likely because it requires a specific chain of conditions to trigger. Unlike the more notorious DHCP Server vulnerabilities that occasionally make headlines, a client-side bug doesn’t receive as much scrutiny because most network security models treat the client as a subordinate component that merely processes server replies.
That assumption broke here. A use-after-free in the client’s parsing logic means that carefully crafted DHCP responses, or perhaps another local method of feeding malformed data to the service, could corrupt memory. The CVSS score of 8.4 reflects the worst-case outcome: complete loss of confidentiality, integrity, and availability. Yet the “more likely” exploitability index suggests Microsoft believes attacker interest will be high, perhaps because the bug resides in a heavily shared component or because reverse-engineering the patch will offer clear clues.
One important note for readers: don’t confuse this with the separate DHCP Server vulnerabilities also addressed in July 2026. Those server-side flaws have their own attack scenarios and affected configurations. The client CVE applies everywhere, even to machines that never touch a DHCP server you control.
What you need to do right now
There is no workaround, and disabling DHCP client services is not a viable option—it would break network connectivity for most users. Microsoft confirms that mitigation consists solely of installing the July 2026 security update.
For regular home and small business users: Open Windows Update, check for updates, and install the July 2026 cumulative update. If automatic updates are on, confirm that your machine has restarted and the build number matches one of the fixed versions listed above. You can check your build by typing “winver” in the Start search box.
For IT teams managing fleets: Push the July cumulative update through your normal deployment pipeline—Windows Server Update Services, Configuration Manager, Intune, or your preferred endpoint management tool. Because Microsoft rates exploitation as more likely, you should accelerate the rollout past your lowest-priority testing rings. Verify build numbers across all managed endpoints; pay special attention to offline laptops, pooled virtual desktops, and server templates that might sit dormant for weeks. Those can re-introduce vulnerable builds long after your fleet dashboard shows compliance.
For server admins: This vulnerability affects servers just as much as desktops. If your server obtains a dynamic IP via DHCP (even in a cloud environment where the infrastructure provides one), the client service is active and must be patched. Check your Server Core installations, too—Microsoft lists them explicitly in the affected list.
For those who can’t patch immediately: The only pragmatic step is to strictly limit any code execution that isn’t trusted. Use application control policies, block macros from the internet, and enforce strong endpoint protection rules. But these are defense-in-depth measures; they can’t substitute for the patch.
What to watch next
Expect the vulnerability’s technical details to expand in the coming weeks. Independent researchers and the Windows internals community will likely dissect the patch and attempt to build proof-of-concept exploits, which could shift the risk from theoretical to actively targeted. Also keep an eye on Microsoft’s advisory page—the discrepancy between the RCE title and local CVSS vector may be clarified or revised. If the vector is updated to reflect a truly remote attack path, the urgency jumps dramatically. For now, treat CVE-2026-54128 as a local code-execution flaw with critical impact and patch every Windows system you manage.