cbcvebase.
CVE-2018-8626
published 2018-12-12

CVE-2018-8626: A remote code execution vulnerability exists in Windows Domain Name System (DNS) servers when they fail to properly handle requests, aka "Windows DNS Server…

PriorityP262critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
21.12%
97.3th percentile
A remote code execution vulnerability exists in Windows Domain Name System (DNS) servers when they fail to properly handle requests, aka "Windows DNS Server Heap Overflow Vulnerability." This affects Windows Server 2012 R2, Windows Server 2019, Windows Server 2016, Windows 10, Windows 10 Servers.

Affected

39 ranges· showing 25
VendorProductVersion rangeFixed in
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10_servers
microsoftwindows_10_servers
microsoftwindows_server_2012
microsoftwindows_server_2012_r2
microsoftwindows_server_2016
microsoftwindows_server_2016
microsoftwindows_server_2016
microsoftwindows_server_2019
msrcwindows_10_version_1607_for_32-bit_systems
msrcwindows_10_version_1607_for_x64-based_systems

Detection & IOCsextracted from sources · hover to see the quote

  • Target service is Windows DNS Server (dns.exe); monitor for anomalous/malformed inbound DNS requests to Windows DNS servers, particularly from unauthenticated sources, which may trigger a heap overflow.
  • Successful exploitation results in code execution as Local System Account; monitor for unexpected child processes or privileged activity spawned from dns.exe.
  • Affected platforms are Windows DNS Server roles on Windows Server 2012 R2, Server 2016, Server 2019, and Windows 10 Servers; scope detection to these OS versions running the DNS Server role.
  • ·Exploitation likelihood rated low by Microsoft for both latest and older software releases at time of disclosure; no in-the-wild exploitation confirmed.
  • ·The vulnerability was not publicly disclosed or exploited at time of advisory publication, limiting available public PoC-based signatures.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_msrc9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.