Windows systems worldwide are at risk from a new critical flaw in the Windows DNS Client that could allow remote code execution without any user interaction.
Tracked as CVE-2026-41096, the vulnerability has been rated critical with a CVSS base score of 9.8. It is patched in Microsoft’s May 12, 2026, security updates.
Critical DNS client bug in Windows
CVE-2026-41096 is a heap-based buffer overflow in the Windows DNS Client component (dnsapi.dll), which handles DNS responses on virtually every supported Windows machine.
The weakness is categorized under CWE-122, meaning an attacker can overwrite data in heap memory by sending inputs that exceed an internal buffer.
According to Microsoft and NVD, a remote, unauthenticated attacker can exploit this bug over the network to execute arbitrary code on the target system.
The CVSS 3.1 vector reflects how dangerous this is: network-based, low attack complexity, no privileges required, and no user interaction needed, with high impact on confidentiality, integrity, and availability.
In practice, that means a successful exploit could give an attacker full control of a vulnerable Windows host, allowing data theft, malware deployment, lateral movement, or full system takeover.
To exploit CVE-2026-41096, an attacker needs to send a specially crafted DNS response to a vulnerable Windows system. When the DNS Client incorrectly processes this malicious response, it corrupts heap memory.
It can be steered to run attacker-controlled code. This can happen in scenarios where the attacker controls or can influence DNS infrastructure, such as a rogue DNS server, a poisoned resolver, a compromised router, a hostile Wi‑Fi network, or a man‑in‑the‑middle position.
Any activity that triggers DNS lookups can serve as an entry point, including web browsing, VPN connections, enterprise applications, update services, and background system processes.
Despite the high severity, Microsoft currently classifies the exploit as “Exploitation Unlikely,” indicating that, while the impact is severe, reliably weaponizing the heap overflow may be technically challenging. There are no public exploits and no evidence of in‑the‑wild attacks at the time of publication.
Affected systems and patches
The flaw affects modern Windows client and server platforms where the vulnerable DNS Client is present, including supported releases of Windows 11 and Windows Server 2022/2025.
Microsoft has shipped fixes as part of the May 2026 Patch Tuesday, with updates available through cumulative updates and catalog downloads.
Administrators should deploy the relevant May 12, 2026, security updates and ensure systems are fully rebooted so that the patched dnsapi.dll is loaded.
Security guidance from multiple vendors recommends prioritizing roaming endpoints, administrator workstations, systems exposed to untrusted networks, and any devices with delayed patch cycles.
Organizations should also restrict DNS traffic to trusted resolvers where feasible and monitor for unusual DNS patterns that might signal exploit attempts or reconnaissance.
Even with exploitation currently rated as unlikely, the combination of remote reach, no authentication, and critical impact means this bug should be treated as a high‑priority patching issue rather than a theoretical risk.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
