Microsoft has patched CVE-2026-50304, a remotely reachable denial-of-service vulnerability in Active Directory Federation Services that requires neither authentication nor user interaction. Organizations still operating AD FS should deploy the July 14, 2026 Windows security updates promptly, particularly where federation endpoints remain reachable from the internet.
Detailed in Microsoft’s Security Update Guide and published with the July 2026 Patch Tuesday release, the vulnerability is rated Important with a CVSS 3.1 base score of 7.5. Microsoft describes the underlying weakness as a stack-based buffer overflow that allows an unauthorized attacker to disrupt AD FS over a network.
The National Vulnerability Database lists the flaw as CWE-121, confirming that improperly handled data can overwrite memory allocated on the program stack. The immediate documented consequence is loss of availability rather than data theft, privilege escalation, or remote code execution.
Microsoft’s CVSS vector is
The confidentiality and integrity impact are both scored as none, while availability impact is high. That distinction matters: CVE-2026-50304 is not documented as allowing an attacker to steal federation tokens, modify claims, or take control of the Windows Server host. Its purpose and effect are service disruption.
An AD FS outage can nevertheless have consequences well beyond one failed Windows service. Organizations may still rely on AD FS for authentication to Microsoft 365, third-party software-as-a-service platforms, internally hosted applications, business partner federations, and older applications built around WS-Federation or SAML.
If the affected federation service becomes unavailable, users may be unable to initiate new sessions even when the applications themselves remain healthy. Existing sessions and cached credentials may soften the immediate impact in some environments, but that behavior varies by application, token lifetime, authentication path, and fallback configuration.
Microsoft has marked the vulnerability’s report confidence as confirmed. That means the vendor has acknowledged the flaw and considers the available technical evidence sufficient to establish that it exists; it does not mean public exploit code is available.
CISA’s initial SSVC data listed exploitation as “none,” while describing the vulnerability as automatable with partial technical impact. As of the July 14 disclosure, there was no indication in the public Microsoft or NVD records that CVE-2026-50304 was being exploited in the wild.
The principal July 2026 build thresholds identified in Microsoft’s CVE data are:
The appearance of a Windows version in the affected list does not mean every machine running that version presents an exploitable federation endpoint. The practical exposure centers on systems running the AD FS role, especially federation servers and externally published deployments accepting untrusted network traffic.
AD FS farms also require coordinated servicing. Patching only one node may leave the farm exposed through other federation servers still receiving traffic behind a load balancer, while taking every node down simultaneously can create the outage administrators are trying to prevent.
A staged rollout should therefore drain one node, install the cumulative update, restart it where required, validate federation behavior, and then repeat the process across the remaining nodes. Web Application Proxy servers, load-balancer health probes, and any externally published authentication paths should be included in post-update testing.
After installing the July updates, administrators should test representative relying-party applications rather than limiting validation to the AD FS management console. Useful checks include interactive sign-in, integrated Windows authentication where deployed, multifactor authentication handoffs, SAML and WS-Federation applications, token issuance, sign-out behavior, and access through Web Application Proxy.
Operational monitoring should also look for unexpected termination or restart of the AD FS Windows service, abrupt failures across multiple relying parties, elevated error rates, and repeated malformed requests reaching federation endpoints. Because the documented attack is network-based and unauthenticated, edge telemetry may provide useful evidence even when application logs do not explain the original malformed input.
Rate limiting and network filtering can provide defense in depth, but they are not substitutes for the update. A low-complexity attack may not resemble a conventional high-volume distributed denial-of-service event; a comparatively small number of crafted requests could exploit unsafe memory handling inside the service.
Organizations unable to patch immediately should reduce unnecessary exposure and confirm that only required AD FS endpoints are published. Any temporary restriction must be tested carefully, since blocking a legitimate federation endpoint can produce the same user-visible result as a successful denial-of-service attack.
CVE-2026-50304 is also only one of several AD FS vulnerabilities addressed in Microsoft’s July 2026 release. That broader concentration of fixes strengthens the case for deploying the complete cumulative Windows update rather than treating this CVE as an isolated defect with a narrowly targeted workaround.
For security teams, the priority calculation is straightforward. There was no publicly reported exploitation at disclosure, but the attack requires no account, no user action, and little apparent complexity. The affected service can also sit directly in the authentication path for numerous business applications.
Administrators should use the July 14 updates to bring every AD FS farm member to the corrected build, verify that externally published nodes are not missed, and test real authentication flows before closing the change window. The unresolved issue is not whether Microsoft has confirmed the vulnerability—it has—but how many organizations still depend on an internet-facing AD FS deployment they no longer inventory as critical infrastructure.
Detailed in Microsoft’s Security Update Guide and published with the July 2026 Patch Tuesday release, the vulnerability is rated Important with a CVSS 3.1 base score of 7.5. Microsoft describes the underlying weakness as a stack-based buffer overflow that allows an unauthorized attacker to disrupt AD FS over a network.
The National Vulnerability Database lists the flaw as CWE-121, confirming that improperly handled data can overwrite memory allocated on the program stack. The immediate documented consequence is loss of availability rather than data theft, privilege escalation, or remote code execution.
A Low-Complexity Attack Against an Identity Dependency
Microsoft’s CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. In practical terms, the attack can be launched across a network, has low complexity, requires no privileges, and does not depend on a user opening a file or clicking a link.The confidentiality and integrity impact are both scored as none, while availability impact is high. That distinction matters: CVE-2026-50304 is not documented as allowing an attacker to steal federation tokens, modify claims, or take control of the Windows Server host. Its purpose and effect are service disruption.
An AD FS outage can nevertheless have consequences well beyond one failed Windows service. Organizations may still rely on AD FS for authentication to Microsoft 365, third-party software-as-a-service platforms, internally hosted applications, business partner federations, and older applications built around WS-Federation or SAML.
If the affected federation service becomes unavailable, users may be unable to initiate new sessions even when the applications themselves remain healthy. Existing sessions and cached credentials may soften the immediate impact in some environments, but that behavior varies by application, token lifetime, authentication path, and fallback configuration.
Microsoft has marked the vulnerability’s report confidence as confirmed. That means the vendor has acknowledged the flaw and considers the available technical evidence sufficient to establish that it exists; it does not mean public exploit code is available.
CISA’s initial SSVC data listed exploitation as “none,” while describing the vulnerability as automatable with partial technical impact. As of the July 14 disclosure, there was no indication in the public Microsoft or NVD records that CVE-2026-50304 was being exploited in the wild.
Supported Server Generations Receive the Fix
The affected-product data spans Windows Server 2012 through Windows Server 2025, including corresponding Server Core entries where applicable. Windows 10 Version 1607 and Windows 10 Version 1809 also appear in the CVE record because they share servicing branches with Windows Server releases.The principal July 2026 build thresholds identified in Microsoft’s CVE data are:
- Windows Server 2016 and Windows 10 Version 1607 are protected at OS build 14393.9339, delivered through KB5099535.
- Windows Server 2019 and Windows 10 Version 1809 are protected at OS build 17763.9020, delivered through KB5099538.
- Windows Server 2022 is protected at OS build 20348.5386, delivered through KB5099540.
- Windows Server 2025 is protected at OS build 26100.33158, delivered through KB5099536.
- Windows Server 2012 must be updated to at least build 9200.26226 through its applicable Extended Security Updates channel.
- Windows Server 2012 R2 must be updated to at least build 9600.23291 through its applicable Extended Security Updates channel.
The appearance of a Windows version in the affected list does not mean every machine running that version presents an exploitable federation endpoint. The practical exposure centers on systems running the AD FS role, especially federation servers and externally published deployments accepting untrusted network traffic.
AD FS farms also require coordinated servicing. Patching only one node may leave the farm exposed through other federation servers still receiving traffic behind a load balancer, while taking every node down simultaneously can create the outage administrators are trying to prevent.
A staged rollout should therefore drain one node, install the cumulative update, restart it where required, validate federation behavior, and then repeat the process across the remaining nodes. Web Application Proxy servers, load-balancer health probes, and any externally published authentication paths should be included in post-update testing.
The Patch Window Needs Identity-Aware Testing
Standard operating-system checks are not enough for an AD FS deployment. A server can return to a healthy Windows state while authentication remains broken because of certificate access, proxy trust, endpoint configuration, or application-specific claim processing.After installing the July updates, administrators should test representative relying-party applications rather than limiting validation to the AD FS management console. Useful checks include interactive sign-in, integrated Windows authentication where deployed, multifactor authentication handoffs, SAML and WS-Federation applications, token issuance, sign-out behavior, and access through Web Application Proxy.
Operational monitoring should also look for unexpected termination or restart of the AD FS Windows service, abrupt failures across multiple relying parties, elevated error rates, and repeated malformed requests reaching federation endpoints. Because the documented attack is network-based and unauthenticated, edge telemetry may provide useful evidence even when application logs do not explain the original malformed input.
Rate limiting and network filtering can provide defense in depth, but they are not substitutes for the update. A low-complexity attack may not resemble a conventional high-volume distributed denial-of-service event; a comparatively small number of crafted requests could exploit unsafe memory handling inside the service.
Organizations unable to patch immediately should reduce unnecessary exposure and confirm that only required AD FS endpoints are published. Any temporary restriction must be tested carefully, since blocking a legitimate federation endpoint can produce the same user-visible result as a successful denial-of-service attack.
AD FS Remains a High-Impact Legacy Dependency
Microsoft has steadily moved customers toward Microsoft Entra ID and cloud-native authentication, but AD FS remains embedded in many hybrid and application-heavy estates. Its declining visibility can itself become a risk when federation servers fall outside the most closely monitored identity and patch-management workflows.CVE-2026-50304 is also only one of several AD FS vulnerabilities addressed in Microsoft’s July 2026 release. That broader concentration of fixes strengthens the case for deploying the complete cumulative Windows update rather than treating this CVE as an isolated defect with a narrowly targeted workaround.
For security teams, the priority calculation is straightforward. There was no publicly reported exploitation at disclosure, but the attack requires no account, no user action, and little apparent complexity. The affected service can also sit directly in the authentication path for numerous business applications.
Administrators should use the July 14 updates to bring every AD FS farm member to the corrected build, verify that externally published nodes are not missed, and test real authentication flows before closing the change window. The unresolved issue is not whether Microsoft has confirmed the vulnerability—it has—but how many organizations still depend on an internet-facing AD FS deployment they no longer inventory as critical infrastructure.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com