Windows DNS Client Flaw Allows Remote Code Execution Through Malicious DNS Responses
6 min. read 
Published on
Microsoft has patched a critical Windows DNS Client vulnerability that could let an unauthenticated attacker run code remotely by sending a malicious DNS response to a vulnerable system.
The flaw is tracked as CVE-2026-41096 and carries a CVSS 3.1 score of 9.8 out of 10. Microsoft describes it as a heap-based buffer overflow in Microsoft Windows DNS.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The risk is serious because DNS lookups happen constantly in normal Windows activity. Web browsing, software updates, VPN connections, cloud services, and background apps can all trigger DNS queries.
What CVE-2026-41096 does
CVE-2026-41096 affects the Windows DNS Client path used to process DNS responses. A crafted response can cause the DNS Client to handle memory incorrectly and corrupt memory on the target system.
In certain configurations, this can allow remote code execution without authentication. The attacker does not need a user to open a file or click a link.
The attacker does, however, need a way to influence DNS responses. That could involve a rogue DNS server, a man-in-the-middle position, a compromised router, a hostile local network, or another path that lets the attacker control traffic returned to the Windows device.
| Item | Details |
|---|---|
| CVE | CVE-2026-41096 |
| Component | Windows DNS Client |
| Weakness type | Heap-based buffer overflow |
| CWE | CWE-122 |
| Severity | Critical |
| CVSS 3.1 score | 9.8 |
| Attack vector | Network |
| User interaction | Not required |
Why the Windows DNS Client bug is dangerous
The DNS Client runs on Windows endpoints and servers, which gives the vulnerability a wide attack surface. It affects normal client-side network behavior rather than only a public-facing server role.
That means laptops, workstations, and servers may all need attention, especially in enterprise environments with large Windows fleets. A vulnerable system only needs to process a malicious DNS response for the bug to become relevant.
Security researchers also noted that the flaw requires no prior authentication and no user interaction. Those two conditions raise patching priority, even though Microsoft had not listed the issue as exploited in the wild at release.
Which Windows systems are affected
NVD’s affected software data lists supported Windows 11 branches and recent Windows Server versions. The listed vulnerable ranges include Windows 11 23H2, 24H2, 25H2, and 26H1 builds before their patched versions.
The affected server entries include Windows Server 2022 23H2 and Windows Server 2025 builds before their patched versions. Organizations should use Microsoft’s Security Update Guide and their normal update management tools to confirm exposure in their own environments.
Rapid7 also lists specific Microsoft update packages for remediation, including KB5087420, KB5089549, KB5089548, KB5087541, and KB5087539 across the relevant Windows releases.
| Platform | Patch reference |
|---|---|
| Windows 11 23H2 | KB5087420 |
| Windows 11 24H2 | KB5089549 |
| Windows 11 25H2 | KB5089549 |
| Windows 11 26H1 | KB5089548 |
| Windows Server 2022 23H2 | KB5087541 |
| Windows Server 2025 | KB5087539 |
How an attack could work
An attacker would first need a position where they can affect DNS traffic. That could happen on an untrusted Wi-Fi network, through a compromised local router, or through malicious DNS infrastructure.
When the Windows system sends a DNS query, the attacker returns a specially crafted DNS response. The vulnerable DNS Client then incorrectly processes that response.
If exploitation succeeds in a vulnerable configuration, the attacker could run code on the target system. From there, the attacker may try to gain persistence, steal credentials, move laterally, or chain the flaw with another vulnerability.
- Rogue DNS servers can return malicious responses to vulnerable systems.
- Compromised routers can place attackers in the DNS traffic path.
- Public Wi-Fi networks can increase exposure to traffic manipulation.
- Enterprise networks may face lateral movement risk if internal systems remain unpatched.
- Servers and workstations both need review if they run affected Windows versions.
Microsoft patched the flaw in May 2026 updates
Microsoft addressed CVE-2026-41096 in its May 2026 security updates. The update cycle also fixed many other Windows, Office, Azure, Microsoft Edge, .NET, SQL Server, and Microsoft 365 issues.
Security teams should treat this DNS Client flaw as a high-priority patching item because it combines network attack reach, low attack complexity, no authentication, and no user interaction.
At the time of release, Microsoft was not aware of active exploitation or public disclosure for the May 2026 vulnerabilities. That lowers immediate emergency pressure, but it does not remove the need to patch quickly.
What administrators should do now
Administrators should deploy the relevant May 2026 Windows security updates through Windows Update, WSUS, Microsoft Configuration Manager, Intune, or another endpoint management platform.
Organizations should prioritize laptops, systems that connect to untrusted networks, domain-joined workstations, servers with broad internal access, and devices using custom DNS routing.
Teams should also review DNS architecture. Restricting endpoints to approved resolvers reduces exposure to rogue DNS responses, but it does not replace patching.
- Install the May 2026 Windows security updates on affected systems.
- Confirm that Windows 11 and Windows Server builds meet or exceed the patched build levels.
- Prioritize mobile devices and systems that connect to public or partner networks.
- Restrict DNS traffic to trusted resolvers where practical.
- Monitor for unusual DNS resolver changes on endpoints and routers.
- Review endpoint logs for unusual child processes following DNS-related network activity.
- Segment critical servers from user networks to reduce lateral movement risk.
- Use endpoint detection and response rules that alert on suspicious memory corruption and post-exploitation behavior.
Why patching matters even without active exploitation
Microsoft assessed exploitation as less likely, but defenders should not treat that as a reason to delay. A CVSS 9.8 network RCE in a common Windows component can attract attacker interest after public patch analysis.
Attackers often compare patched and unpatched binaries after security updates ship. If they identify the vulnerable code path, they may build exploit attempts before every organization finishes patching.
For most environments, the best response is direct and simple: apply the update, verify deployment, and reduce exposure to untrusted DNS paths wherever possible.
FAQ
CVE-2026-41096 is a critical Windows DNS Client remote code execution vulnerability caused by a heap-based buffer overflow in Microsoft Windows DNS.
Attackers can exploit the vulnerability by sending a specially crafted DNS response to a vulnerable Windows system. In certain configurations, this can corrupt memory and allow remote code execution without authentication.
No. The vulnerability does not require the user to click a link, open a file, or perform another manual action. Normal DNS activity can trigger the vulnerable code path if the system receives a malicious response.
Public reporting around Microsoft’s May 2026 security release says Microsoft was not aware of active exploitation or public disclosure at release time.
Organizations should install the relevant May 2026 Windows security updates, restrict DNS traffic to trusted resolvers, review endpoint exposure, and monitor for suspicious DNS and post-exploitation activity.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages