CVE-2026-50682 exposes Windows Active Directory to a network-delivered denial-of-service attack, allowing an authenticated user to disrupt an affected system without user interaction. Microsoft fixed the Important-rated vulnerability in its July 14, 2026 security updates, making domain controllers and other Windows systems running the vulnerable component a priority for patching.
Detailed in Microsoft’s Security Update Guide and published alongside July’s unusually large Patch Tuesday release, CVE-2026-50682 carries a CVSS 3.1 base score of 7.1. Microsoft describes the underlying weakness as an out-of-bounds read in Windows Active Directory and assesses exploitation as less likely. The company says the vulnerability was neither publicly disclosed nor known to be exploited when the update shipped.
The National Vulnerability Database has recorded the issue as CWE-125, an out-of-bounds read, but was still awaiting its own enrichment analysis as of July 15. The public record consequently confirms the attack conditions and affected releases without documenting the malformed request, protocol operation, or Windows service that reaches the vulnerable code.
Microsoft’s CVSS vector is
That authentication requirement is an important limitation. CVE-2026-50682 is not presented as an unauthenticated internet worm or a direct route to domain administrator privileges. An attacker must already possess valid authorization on the target environment, whether through a compromised account, an insider position, or another intrusion path.
The remaining characteristics are less reassuring. Low attack complexity and no user interaction make a denial-of-service technique easier to incorporate into post-compromise activity. In an Active Directory environment, even a temporary interruption can affect authentication, Group Policy processing, directory lookups, application access, and administrative operations.
Microsoft assigns the flaw high availability impact and low confidentiality impact, with no integrity impact. That combination suggests the out-of-bounds read may expose a limited amount of information while primarily destabilizing or terminating the affected processing path. Microsoft has not said whether exploitation crashes a specific service, forces a domain controller restart, or causes a persistent resource-exhaustion condition, so administrators should not assume a particular failure mode.
The absence of active exploitation lowers the immediate threat level, but it does not make domain-controller downtime acceptable. Attackers who have already obtained ordinary domain credentials may value disruption even when a vulnerability offers no privilege escalation. Denial of service can complicate incident response, interrupt access to security tooling, and increase pressure during a broader intrusion.
The principal patched versions listed for CVE-2026-50682 are:
The inclusion of Windows 10 and Windows 11 in the affected-products list should not be read as evidence that every client PC is acting as a domain controller. Active Directory-related libraries and management components are shared across Windows editions, and Microsoft’s product matrix reflects where vulnerable code is serviced. Domain controllers remain the systems with the clearest business-critical availability exposure, but security teams should evaluate the complete affected inventory rather than filtering only on the words “Windows Server.”
Windows 10 also requires special attention because mainstream support for version 22H2 ended on October 14, 2025. KB5099539 is relevant to systems covered by Extended Security Updates and supported LTSC channels; an unmanaged Windows 10 PC outside an eligible servicing program cannot be assumed to receive the fix simply because the KB exists.
Start with representative domain controllers in a test or lower-risk site, then verify authentication, DNS, LDAP-dependent applications, Kerberos ticket issuance, replication, SYSVOL health, and Group Policy processing after installation and restart. Monitoring should include
The July packages contain changes beyond this CVE, so testing cannot focus exclusively on Active Directory. Microsoft’s Server 2022 release notes warn that a limited set of systems using an unrecommended BitLocker Group Policy configuration may request the recovery key on the first reboot. The condition involves BitLocker-protected operating system drives, explicit PCR7 configuration, a PCR7 binding state reported as “Not Possible,” and transition to the Windows UEFI CA 2023-signed boot manager.
That known issue makes predeployment checks particularly important for remotely managed or physically inaccessible servers. Recovery keys should be escrowed and retrievable before rebooting patched machines. Administrators should also confirm that out-of-band management paths work, especially where domain controllers run in branch offices or restricted data-center segments.
Windows Server 2025’s KB5099536 additionally introduces security hardening for third-party Transport Driver Interface transports. Applications using sockets over unregistered third-party TDI transports may stop working after the July update, while registered transports are unaffected. That is not a reason to defer the Active Directory correction indefinitely, but it is a concrete compatibility item to include in pilot testing.
No vendor workaround has emerged as a substitute for installing the security update. Network segmentation, privileged-access controls, and restrictions on who can communicate with domain controllers can reduce exposure, but they do not remove the vulnerable code. Because the attack requires only low privileges, controls designed solely around protecting Domain Admin accounts leave part of the threat model untouched.
Until more technical information becomes available, detection should emphasize unexpected Active Directory service interruptions and the activity surrounding them. Security teams should investigate repeated malformed or failed directory operations, unusual bursts of authenticated traffic to domain controllers, unexplained service terminations, and crashes correlated with a particular user or source host.
Account context matters. Since exploitation requires authorization, an attempted attack should leave some relationship to authenticated activity even if the ultimate denial-of-service event produces limited telemetry. Centralized collection of domain-controller events, network metadata, endpoint detections, and authentication logs will provide more value than relying on one Windows event ID that Microsoft has not identified.
CISA’s initial SSVC entry reported no known exploitation and assessed the vulnerability as not readily automatable, while Microsoft’s exploitability index similarly placed exploitation in the less-likely category. Those assessments support orderly testing rather than emergency isolation, but they are snapshots from July 14. Public analysis of a patched out-of-bounds read can change attacker capability after release.
For administrators, the practical milestone is straightforward: domain controllers should report at least build 20348.5386 on Windows Server 2022 or 26100.33158 on Windows Server 2025 after the July deployment. Organizations that cannot reach those build floors promptly should treat the delay as an identity-service availability risk and compensate with tighter network access, stronger monitoring, and a tested recovery path until patching is complete.
Detailed in Microsoft’s Security Update Guide and published alongside July’s unusually large Patch Tuesday release, CVE-2026-50682 carries a CVSS 3.1 base score of 7.1. Microsoft describes the underlying weakness as an out-of-bounds read in Windows Active Directory and assesses exploitation as less likely. The company says the vulnerability was neither publicly disclosed nor known to be exploited when the update shipped.
The National Vulnerability Database has recorded the issue as CWE-125, an out-of-bounds read, but was still awaiting its own enrichment analysis as of July 15. The public record consequently confirms the attack conditions and affected releases without documenting the malformed request, protocol operation, or Windows service that reaches the vulnerable code.
Authentication Narrows the Door, Not the Operational Impact
Microsoft’s CVSS vector is AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H. In practical terms, an attacker can reach the vulnerable code over a network, exploitation requires low complexity, a low-privileged account is required, and no victim needs to click a link or open a file.That authentication requirement is an important limitation. CVE-2026-50682 is not presented as an unauthenticated internet worm or a direct route to domain administrator privileges. An attacker must already possess valid authorization on the target environment, whether through a compromised account, an insider position, or another intrusion path.
The remaining characteristics are less reassuring. Low attack complexity and no user interaction make a denial-of-service technique easier to incorporate into post-compromise activity. In an Active Directory environment, even a temporary interruption can affect authentication, Group Policy processing, directory lookups, application access, and administrative operations.
Microsoft assigns the flaw high availability impact and low confidentiality impact, with no integrity impact. That combination suggests the out-of-bounds read may expose a limited amount of information while primarily destabilizing or terminating the affected processing path. Microsoft has not said whether exploitation crashes a specific service, forces a domain controller restart, or causes a persistent resource-exhaustion condition, so administrators should not assume a particular failure mode.
The absence of active exploitation lowers the immediate threat level, but it does not make domain-controller downtime acceptable. Attackers who have already obtained ordinary domain credentials may value disruption even when a vulnerability offers no privilege escalation. Denial of service can complicate incident response, interrupt access to security tooling, and increase pressure during a broader intrusion.
July Updates Establish the Patched Build Floor
The CVE record identifies Windows client and server releases as affected, including Server Core. Microsoft’s July cumulative updates raise systems beyond the vulnerable build ranges.The principal patched versions listed for CVE-2026-50682 are:
- Windows Server 2022 is protected by KB5099540, which advances the operating system to build 20348.5386.
- Windows Server 2025 and Windows Server 2025 Server Core are protected by KB5099536, which advances them to build 26100.33158.
- Windows 11 versions 24H2 and 25H2 receive KB5101650, reaching builds 26100.8875 and 26200.8875 respectively.
- Windows 11 version 26H1 receives KB5101649, reaching build 28000.2525.
- Eligible Windows 10 version 22H2 and Enterprise LTSC 2021 systems receive KB5099539, reaching builds 19045.7548 and 19044.7548.
The inclusion of Windows 10 and Windows 11 in the affected-products list should not be read as evidence that every client PC is acting as a domain controller. Active Directory-related libraries and management components are shared across Windows editions, and Microsoft’s product matrix reflects where vulnerable code is serviced. Domain controllers remain the systems with the clearest business-critical availability exposure, but security teams should evaluate the complete affected inventory rather than filtering only on the words “Windows Server.”
Windows 10 also requires special attention because mainstream support for version 22H2 ended on October 14, 2025. KB5099539 is relevant to systems covered by Extended Security Updates and supported LTSC channels; an unmanaged Windows 10 PC outside an eligible servicing program cannot be assumed to receive the fix simply because the KB exists.
Patch the Directory Tier With Recovery in View
For enterprise IT, the immediate job is to validate and deploy the July cumulative updates across the domain-controller fleet. A staged rollout remains sensible, but CVE-2026-50682 argues against leaving the directory tier at the back of a lengthy workstation-first schedule.Start with representative domain controllers in a test or lower-risk site, then verify authentication, DNS, LDAP-dependent applications, Kerberos ticket issuance, replication, SYSVOL health, and Group Policy processing after installation and restart. Monitoring should include
dcdiag, repadmin /replsummary, Directory Service events, service availability, and any application-specific checks used by identity-dependent workloads.The July packages contain changes beyond this CVE, so testing cannot focus exclusively on Active Directory. Microsoft’s Server 2022 release notes warn that a limited set of systems using an unrecommended BitLocker Group Policy configuration may request the recovery key on the first reboot. The condition involves BitLocker-protected operating system drives, explicit PCR7 configuration, a PCR7 binding state reported as “Not Possible,” and transition to the Windows UEFI CA 2023-signed boot manager.
That known issue makes predeployment checks particularly important for remotely managed or physically inaccessible servers. Recovery keys should be escrowed and retrievable before rebooting patched machines. Administrators should also confirm that out-of-band management paths work, especially where domain controllers run in branch offices or restricted data-center segments.
Windows Server 2025’s KB5099536 additionally introduces security hardening for third-party Transport Driver Interface transports. Applications using sockets over unregistered third-party TDI transports may stop working after the July update, while registered transports are unaffected. That is not a reason to defer the Active Directory correction indefinitely, but it is a concrete compatibility item to include in pilot testing.
No vendor workaround has emerged as a substitute for installing the security update. Network segmentation, privileged-access controls, and restrictions on who can communicate with domain controllers can reduce exposure, but they do not remove the vulnerable code. Because the attack requires only low privileges, controls designed solely around protecting Domain Admin accounts leave part of the threat model untouched.
Sparse Disclosure Keeps Detection Mostly Behavioral
Microsoft has not published a proof of concept, packet signature, affected protocol method, or detailed crash indicator for CVE-2026-50682. That limits defenders’ ability to write a precise network rule or hunt for one definitive event pattern.Until more technical information becomes available, detection should emphasize unexpected Active Directory service interruptions and the activity surrounding them. Security teams should investigate repeated malformed or failed directory operations, unusual bursts of authenticated traffic to domain controllers, unexplained service terminations, and crashes correlated with a particular user or source host.
Account context matters. Since exploitation requires authorization, an attempted attack should leave some relationship to authenticated activity even if the ultimate denial-of-service event produces limited telemetry. Centralized collection of domain-controller events, network metadata, endpoint detections, and authentication logs will provide more value than relying on one Windows event ID that Microsoft has not identified.
CISA’s initial SSVC entry reported no known exploitation and assessed the vulnerability as not readily automatable, while Microsoft’s exploitability index similarly placed exploitation in the less-likely category. Those assessments support orderly testing rather than emergency isolation, but they are snapshots from July 14. Public analysis of a patched out-of-bounds read can change attacker capability after release.
For administrators, the practical milestone is straightforward: domain controllers should report at least build 20348.5386 on Windows Server 2022 or 26100.33158 on Windows Server 2025 after the July deployment. Organizations that cannot reach those build floors promptly should treat the delay as an identity-service availability risk and compensate with tighter network access, stronger monitoring, and a tested recovery path until patching is complete.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com