CVE-2022-38026: Windows DHCP Client Info Disclosure Flaw

CVE-2022-38026 Overview

CVE-2022-38026 is an information disclosure vulnerability in the Windows Dynamic Host Configuration Protocol (DHCP) Client component. The flaw affects a broad range of Microsoft Windows desktop and server operating systems, from Windows 7 through Windows 11 and Windows Server 2008 through Windows Server 2022. An authenticated local attacker with low privileges can leverage the vulnerability to read memory contents that should remain protected. Microsoft addressed the issue as part of its October 2022 Patch Tuesday release.

Critical Impact
A local, authenticated attacker can disclose sensitive information from the DHCP Client service, potentially exposing data that supports further attacks on the host.

Affected Products

Microsoft Windows 10 (multiple builds: 1607, 1809, 20H2, 21H1, 21H2)
Microsoft Windows 11 (original release and 22H2, x64 and ARM64)
Microsoft Windows 7 SP1, Windows 8.1, and Windows RT 8.1
Microsoft Windows Server 2008 SP2, 2008 R2 SP1, 2012, 2012 R2, 2016, 2019, and 2022

Discovery Timeline

2022-10-11 - CVE-2022-38026 published to NVD and addressed in Microsoft's October 2022 security updates
2025-01-02 - Last updated in NVD database

Technical Details for CVE-2022-38026

Vulnerability Analysis

The vulnerability resides in the Windows DHCP Client service, which is responsible for negotiating IP address leases and related network configuration from DHCP servers. The flaw allows a local actor to obtain information that the service should keep confidential. Confidentiality impact is rated high, while integrity and availability are unaffected. Successful exploitation does not modify system state but exposes data that may include memory contents, configuration values, or other artifacts handled by the DHCP Client.

Root Cause

Microsoft classified the issue under NVD-CWE-noinfo, and the vendor advisory does not disclose specific implementation details. Information disclosure vulnerabilities in network client services of this type typically arise from improper bounds checking, uninitialized memory being returned to callers, or insufficient access controls on data structures shared between privileged and unprivileged components.

Attack Vector

Exploitation requires local access and low-level user privileges on the target system. No user interaction is required, and the attack complexity is low. The attacker must already have a foothold on the host, for example through a compromised user account or another initial-access vector. The vulnerability is most useful as a secondary capability in a multi-stage intrusion, where disclosed data supports privilege escalation or lateral movement. Network-based remote exploitation is not possible because the attack vector is local.

No public proof-of-concept code, exploit, or in-the-wild exploitation has been reported. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. See the Microsoft Security Advisory CVE-2022-38026 for vendor technical details.

Detection Methods for CVE-2022-38026

Indicators of Compromise

No public indicators of compromise have been published for this vulnerability.
Unexpected access patterns to the DHCP Client service (dhcpcsvc.dll, dhcpcore.dll) by non-system processes may warrant review.
Unusual local process activity from low-privilege user accounts attempting to interact with networking services should be investigated.

Detection Strategies

Inventory all Windows endpoints and servers to confirm October 2022 cumulative updates are installed; missing patches are the primary detectable risk indicator.
Hunt for anomalous local processes invoking DHCP-related APIs or opening handles to the DHCP Client service from non-administrative contexts.
Correlate local information-gathering behavior with subsequent privilege escalation attempts to identify multi-stage attack chains.

Monitoring Recommendations

Enable Windows Security event logging for service access and object access events to surface unusual interactions with the DHCP Client service.
Monitor patch compliance reporting from configuration management tools to ensure October 2022 updates are deployed across all affected SKUs.
Track local privilege escalation attempts following any suspected information disclosure activity, as attackers commonly chain these techniques.

How to Mitigate CVE-2022-38026

Immediate Actions Required

Apply the October 2022 Microsoft security update for every affected Windows desktop and server SKU listed in the advisory.
Prioritize patching on multi-user systems, terminal servers, and shared workstations where local low-privilege access is most likely.
Audit local user accounts and remove unnecessary interactive logon rights to reduce the population of users able to exploit a local flaw.
Validate patch deployment status with configuration management or vulnerability scanning tools and remediate any gaps.

Patch Information

Microsoft released fixes for CVE-2022-38026 as part of the October 11, 2022 Patch Tuesday updates. Patches are available for all supported affected products through Windows Update, WSUS, and the Microsoft Update Catalog. Refer to the Microsoft Update Guide CVE-2022-38026 for the specific KB articles applicable to each Windows version.

Workarounds

Microsoft has not published an official workaround; applying the security update is the supported remediation.
Enforce least-privilege principles and restrict local logon to trusted administrative users where feasible.
Disable the DHCP Client service on systems with static network configuration if operationally acceptable, recognizing that this will break automatic network configuration.

bash

# Verify the DHCP Client service status and patch level on Windows
Get-Service -Name Dhcp | Select-Object Name, Status, StartType
Get-HotFix | Sort-Object -Property InstalledOn -Descending | Select-Object -First 20