CVE-2026-50355: Patch AD FS DoS With July 14 Server Updates

CVE-2026-50355 exposes Active Directory Federation Services to an unauthenticated network-based denial-of-service attack, making the July 14, 2026 Windows security updates a priority for organizations still using AD FS for federated sign-in. Microsoft rates the vulnerability Important with a CVSS 3.1 base score of 7.5 and identifies the underlying weakness as a stack-based buffer overflow.
Detailed in Microsoft’s Security Update Guide and published through the CVE program on July 14, the flaw can be triggered remotely without credentials or user interaction. A successful attack does not expose data or modify the federation service, but it can cause a high-impact loss of availability—potentially interrupting authentication for every application that depends on the affected AD FS deployment.
Microsoft has issued an official fix, and the report-confidence component of its temporal scoring is Confirmed. That classification means the vendor has verified the vulnerability’s existence and has sufficient technical evidence to reproduce or validate it; it does not mean exploitation has been observed in production.

Cyberattack traffic strikes a server while secure infrastructure and a shielded recovery system defend it.A Network Attack Against the Sign-In Tier​

Microsoft describes CVE-2026-50355 as a stack-based buffer overflow in Windows Active Directory Federation Services. The CVSS vector—AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H—shows why administrators should not dismiss the issue simply because it is classified as denial of service rather than remote code execution.
The attack can be delivered over a network, has low complexity, requires no privileges, and needs no action from a user. Microsoft assigns no confidentiality or integrity impact, but rates the availability impact as high. In practical terms, an attacker may be able to disrupt the AD FS service without first obtaining an account.
That distinction matters because AD FS often sits directly in an organization’s authentication path. An outage can prevent users, partners, or applications from obtaining federation tokens even when Active Directory Domain Services, application servers, and user credentials remain otherwise healthy.
The result may resemble a broad identity incident rather than a conventional server crash. Microsoft 365 tenants that have moved fully to cloud authentication may not depend on AD FS, but organizations using federated domains, legacy claims-aware applications, Web Application Proxy, or partner federation can still have substantial operational exposure.
CISA’s initial Stakeholder-Specific Vulnerability Categorization assessment records no known exploitation as of July 14, while marking exploitation as automatable. Microsoft’s temporal vector also characterizes exploit-code maturity as unproven and indicates that an official remediation is available. There was no public evidence at publication time that CVE-2026-50355 itself was being used in attacks.
That status should not be confused with CVE-2026-56155, a separate AD FS elevation-of-privilege vulnerability addressed in the same Patch Tuesday release and reported as actively exploited. July’s unusually large security release contains several AD FS fixes, making accurate CVE tracking important when reviewing alerts and vulnerability-scanner results.

Supported and Extended-Support Servers Need the July Builds​

The CVE record lists affected code across Windows Server 2012 through Windows Server 2025, including several Server Core installations. Microsoft’s affected-version data establishes the following patched build thresholds:
  • Windows Server 2016 and Windows 10 version 1607 are protected at build 14393.9339 or later.
  • Windows Server 2019 and Windows 10 version 1809 are protected at build 17763.9020 or later.
  • Windows Server 2022 is protected at build 20348.5386 or later.
  • Windows Server 2025 is protected at build 26100.33158 or later.
  • Windows Server 2012 must reach build 9200.26226 through its applicable Extended Security Update channel.
  • Windows Server 2012 R2 must reach build 9600.23291 through its applicable Extended Security Update channel.
For currently supported server releases, the principal July cumulative packages include KB5099535 for Windows Server 2016, KB5099538 for Windows Server 2019, KB5099540 for Windows Server 2022, and KB5099536 for Windows Server 2025. These packages move the operating systems to the patched builds identified in Microsoft’s CVE data.
Windows 10 Enterprise LTSC variants appear in the affected records because they share servicing branches and components with corresponding Windows Server releases. That does not mean an ordinary Windows 10 workstation is functioning as an AD FS federation server. Asset owners should evaluate whether the affected feature is installed and exposed rather than treating every listed client build as an identically reachable target.
The Server Core entries deserve attention. Although Server Core reduces the installed interface and attack surface, it does not automatically eliminate vulnerabilities in enabled server roles. An AD FS deployment running on a listed Core installation still needs the appropriate cumulative update.
Administrators maintaining Windows Server 2012 or Server 2012 R2 face an additional constraint: those systems require eligible Extended Security Updates to receive current fixes. A legacy federation node that no longer receives ESU patches is not adequately protected merely because it remains functional.

Patch the Federation Farm, Not Just the Primary Node​

Updating only the active or most visible federation server is insufficient. Administrators should inventory every AD FS node, Web Application Proxy relationship, standby server, disaster-recovery instance, test federation farm, and externally accessible endpoint before declaring remediation complete.
For a load-balanced farm, patching can usually be staged to preserve authentication availability. Remove one node from rotation, install the applicable July cumulative update, restart if required, validate the AD FS service and token issuance, and then return the server to service before proceeding to the next node.
Post-update checks should cover more than whether the Windows service starts. Teams should verify federation metadata, certificate access, relying-party trust authentication, claims issuance, proxy connectivity, and any monitoring probes that exercise real sign-in flows. Event Viewer logs under AD FS/Admin and related application channels can help identify failures that a basic port check would miss.
The July packages also contain changes beyond CVE-2026-50355. Windows Server 2022, for example, has a documented BitLocker-related issue affecting a limited set of systems with an unrecommended Group Policy configuration, while multiple server releases introduce networking hardening around third-party TDI transports. Those considerations justify normal testing, but they do not provide a reason to leave Internet-facing federation services on vulnerable builds.
Where immediate deployment is impossible, reducing unnecessary exposure is the sensible interim measure. Access controls, upstream rate limiting, reverse-proxy monitoring, and segmentation may reduce opportunities for abuse, but Microsoft has not presented those controls as substitutes for the official update. Because the vulnerable service processes network input and exploitation requires neither authentication nor user interaction, perimeter filtering alone may be unreliable.

Confirmed Does Not Mean Exploited​

The report-confidence text attached to CVE-2026-50355 describes the certainty of the technical finding, not its prevalence in attacks. Microsoft’s Confirmed rating indicates that the vulnerability and its details have been validated by the vendor or supported by reproducible evidence.
That confidence also implies that would-be attackers have a clearer technical starting point than they would with a speculative or uncorroborated report. At the same time, the exploit-code maturity rating remains unproven, and neither Microsoft nor CISA initially identified active exploitation of this specific CVE.
For defenders, the correct balance is neither panic nor delay. CVE-2026-50355 is not presently characterized as a zero-day under attack, but it targets an identity service, is reachable over a network, requires no credentials, and can cause a high-impact availability failure.
Organizations should therefore move AD FS servers to the July 14, 2026 patched builds during the next controlled maintenance window—and sooner where federation endpoints are exposed to untrusted networks. The concrete test is straightforward: every AD FS node should report a build at or above Microsoft’s fixed threshold and successfully issue tokens after the update.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
 

Back
Top