Windows DHCP Client Service RCE (CVSS 9.8), June 2026 Patch Tuesday

cve · CVE-2026-44815

Coverage timeline

first 2026-06-10 → last 2026-06-10

Briefs

1 distinct

Sources cited

186

74 hosts

Sections touched

—

Co-occurring entities

see Related entities below

Story timeline

2026-06-10CTI Daily Brief — 2026-06-10

Source distribution

attack.mitre.org38 (20%)
thehackernews.com12 (6%)
bleepingcomputer.com10 (5%)
isc.sans.edu7 (4%)
msrc.microsoft.com7 (4%)
helpnetsecurity.com7 (4%)
microsoft.com4 (2%)
therecord.media4 (2%)
other97 (52%)

Related entities

Microsoft DCU disrupts Fox Tempest MSaaS — 1,000+ Artifact Signing certs revoked; SDNY court order; downstream Rhysida, INC, Qilin, Akira + Vanilla Tempest, Storm-0501 / 2561 / 0249
incidentitem:microsoft-dcu-disrupts-fox-tempest-malware-signing-as-a-servi×1
Microsoft Defender Experts — AI-chatbot search-poisoning extends SEO lure; GPU-utility lookalikes drop ScreenConnect, then process-hollowed miners (gminer/lolMiner/SRBMiner-MULTI) under signed Microsoft binary
campaignitem:microsoft-ai-chatbot-search-poisoning-cryptojacking-screenconnect-process-hollowing×1
Microsoft MDASH — multi-model agentic vulnerability-discovery harness, 16 Windows CVEs found in network-stack kernel components
toolresearch:microsoft-mdash-2026×1
Microsoft Teams external-chat phishing (APT29/Cloaked Ursa, UNC6692)
campaigncampaign:teams-external-chat-phishing×1
npm dependency-confusion campaigns targeting internal corporate namespaces (Microsoft 33 pkgs / Sonatype 176 pkgs)
campaignitem:npm-dependency-confusion-internal-namespace-campaigns-ms-sonatype×1
SANS ISC — Akira ransomware kill chain reconstructed entirely from SSLVPN syslog and Windows EVTX, no EDR
campaignitem:sans-isc-akira-kill-chain-sslvpn-syslog-evtx-no-edr×1
SANS ISC: WeTransfer JS → steganographic JPEG loader on Cloudflare Workers/R2
campaignitem:sans-isc-steganographic-jpeg-loader-cloudflare-workers-r2×1
SVG phishing wave using application/ecmascript MIME to evade WAF/email pattern-matching (SANS ISC)
campaigncampaign:svg-ecmascript-phishing-2026×1

External references

NVD · cve.org · CISA KEV

All cited sources (186)

Items in briefs about Windows DHCP Client Service RCE (CVSS 9.8), June 2026 Patch Tuesday (1)

CVE-2026-47291 — Microsoft June Patch Tuesday: HTTP.sys pre-auth RCE (CVSS 9.8) headlines the largest-ever release (198 CVEs)

From CTI Daily Brief — 2026-06-10 · published 2026-06-10 · view item permalink →

Microsoft's June 2026 Patch Tuesday addressed 198 CVEs (32 Critical), the largest in program history (Rapid7, 2026-06-09). The headline is CVE-2026-47291 in HTTP.sys (CWE-190 integer overflow into a CWE-122 heap write): an unauthenticated attacker sends a crafted request to any Windows service built on the HTTP Protocol Stack (IIS, WinRM, WMI-over-HTTP) to achieve RCE, rated "Exploitation More Likely" (Microsoft MSRC, 2026-06-09). Microsoft notes systems at the default MaxRequestBytes of 16384 bytes are not impacted — only deployments that raised it above ~65 KB are exposed, so resetting that registry value is a stopgap. Three publicly-disclosed (not-yet-exploited) zero-days also shipped: CVE-2026-49160 (HTTP.sys HTTP/2 compression-bomb DoS, the IIS analogue of the earlier nginx/Apache CVE-2026-49975, now mitigated with MaxHeadersCount), CVE-2026-50507 (BitLocker physical-access bypass), and CVE-2026-45586 (CTFMON EoP); the release also includes the DHCP Client RCE CVE-2026-44815 (CVSS 9.8, "Less Likely") and VSCode EoP CVE-2026-47281 (CVSS 9.6) (Tenable, 2026-06-09; SANS ISC, 2026-06-09). Prioritise the HTTP.sys patch on any Windows host exposing IIS/WinRM.