cbcvebase.
CVE-2019-0626
published 2019-03-05

CVE-2019-0626: A memory corruption vulnerability exists in the Windows Server DHCP service when an attacker sends specially crafted packets to a DHCP server, aka 'Windows…

PriorityP272critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
68.29%
99.2th percentile
A memory corruption vulnerability exists in the Windows Server DHCP service when an attacker sends specially crafted packets to a DHCP server, aka 'Windows DHCP Server Remote Code Execution Vulnerability'.

Affected

63 ranges· showing 25
VendorProductVersion rangeFixed in
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10

Detection & IOCsextracted from sources · hover to see the quote

  • The vulnerable service is implemented in dhcpssvc.dll and run via svchost.exe; monitor for crashes or anomalous behavior in this process/DLL as an indicator of exploitation attempts.
  • Detect exploitation attempts by monitoring for a highly unusual volume of DHCP DISCOVER and RELEASE/REQUEST messages originating from a single client (hardware address) in a short time window — the described attack requires concurrently sending a large number of such messages over 10 seconds to several minutes.
  • Alert on DHCP RELEASE messages or crafted REQUEST messages (with a requested IP address the server cannot allocate) sent rapidly after DISCOVER messages from the same client hardware address — this is the specific trigger sequence for the use-after-free.
  • The attack vector is specially crafted DHCP packets sent to a Windows DHCP Server; monitor DHCP server traffic (UDP port 67) for anomalous packet floods or malformed option fields.
  • ·The vulnerability is a memory corruption (use-after-free via race condition) in the Windows Server DHCP service, not the DHCP client; only Windows Server deployments running the DHCP Server role are affected.
  • ·Triggering the race condition is non-deterministic and requires precise timing between thread scheduling windows; a crash of the DHCP server service (denial-of-service) is a more reliable outcome than remote code execution, and could be leveraged to stand up a rogue DHCP server.
  • ·The race condition window is extremely narrow — it exists between leaving one critical section (DhcpGlobalInprogressCritSect) and entering the next one, making reliable exploitation highly dependent on thread scheduling and not fully under attacker control.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_msrc9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.