Windows DHCP Client Information Disclosure Vulnerability

MonitorCVSS 5.5CVE-2026-45634Jun 9, 2026

Microsoft

IT in OT - Windows Server and Active Directory are widely deployed in OT environments

Attack path

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Out-of-bounds read in Windows DHCP Server component allows an authorized local attacker to read memory contents and disclose sensitive information. The vulnerability exists in the DHCP client service on Windows 10, Windows 11, Windows Server 2016, 2019, 2022, and 2025.

What this means

What could happen

An attacker with local access to a Windows system running DHCP client could read sensitive data from system memory, potentially exposing credentials or configuration information used by other processes on that system.

Who's at risk

This affects IT and OT operations using Windows 10, Windows 11, Windows Server 2016, 2019, 2022, and 2025 systems. It is most relevant to organizations running engineering workstations, HMI servers, data historian systems, and domain controllers that manage OT network devices. Any Windows server or workstation providing DHCP services or running DHCP client is in scope.

How it could be exploited

An attacker with local logon access could trigger the out-of-bounds read in the DHCP client service by crafting specific network requests or manipulating local DHCP interactions, causing the service to leak data from adjacent memory regions.

Prerequisites

Local logon access to Windows system
Authorization to interact with DHCP client service

local access requiredrequires valid credentialsinformation disclosure onlylow complexity exploit

Exploitability

Unlikely to be exploited — EPSS score 0.4%

Affected products (26)

26 with fix

ProductAffected VersionsFix Status

Windows 10 Version 1809 for 32-bit SystemsAll versionsBuild 10.0.17763.8880

Windows 10 Version 1809 for x64-based SystemsAll versionsBuild 10.0.17763.8880

Windows Server 2019All versionsBuild 10.0.17763.8880

Windows Server 2019 (Server Core installation)All versionsBuild 10.0.17763.8880

Windows Server 2022All versionsBuild 10.0.20348.5256

Remediation & Mitigation

0/1

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXApply June 2026 Windows security update to patch the DHCP client out-of-bounds read vulnerability

CVEs (1)

CVE-2026-45634

View full vendor advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/f4fce948-e0c3-4bff-a1b4-6928f7e66c36

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.