Among the nearly 200 patches Microsoft shipped in the June 2026 Patch Tuesday, three carried the top severity mark of CVSS 9.8. One of them, CVE-2026-44815, sits in a component almost nobody thinks about but that runs on any machine connected to a network: the Windows DHCP Client Service.
DHCP is the protocol that asks the network for an IP address when you boot a laptop or join a Wi-Fi. The client is active on practically every Windows install, desktop and server, because almost nobody sets IPs by hand. That is exactly the problem: the attack surface is huge.
What breaks
The flaw is a remote code execution bug in the code that processes DHCP responses. Microsoft scored it CVSS 9.8, which means network vector, low complexity, no prior privileges, and no user interaction. If that score holds, an attacker on the same network could send crafted DHCP responses and run code on the machine that processes them, with nobody clicking anything.
One caveat is worth keeping in mind. The Zero Day Initiative team flagged a contradiction in the documentation: the CVSS metric says no permissions are required, but Microsoft’s own description mentions an “authenticated” attacker. ZDI advises erring on the conservative side and trusting the CVSS, meaning you should assume the worst case until it is clarified. Treating it as remote and unauthenticated is the sensible posture while you patch.
Who is affected
Any Microsoft operating system with DHCP client functionality, which in practice means all of them. It does not matter whether it is a Windows 11 desktop or a Windows Server in a datacenter: if it requests an IP over DHCP, it is exposed. That is why ZDI called it a juicy target. Environments with many machines on a single flat network carry the most concentrated risk, since a single compromised host (or an attacker with a foothold on the LAN) can start sending forged responses.
How to protect yourself
The patch has been available since 9 June 2026 in that month’s cumulative update. Installing it is the only complete fix. Recommendations:
- Apply the June 2026 Patch Tuesday as soon as possible across all Windows systems, including servers and machines that rarely reboot.
- Prioritise hosts on shared networks or loosely controlled segments, where an attacker could inject DHCP traffic.
- As a network containment measure, proper segmentation and rogue-DHCP protection (DHCP snooping on switches) reduce the chance of forged responses reaching clients, though they do not replace the patch.
This CVE was one of three 9.8 flaws that month, alongside CVE-2026-47291 in HTTP.sys and a Windows kernel bug. All three allow code execution without authentication or interaction, so the June cycle deserved immediate attention. If you manage Windows machines, also review the full June 2026 Patch Tuesday and the Windows page.