Microsoft has patched CVE-2026-50411, a remotely reachable denial-of-service vulnerability in Active Directory Federation Services that can be triggered by an unauthenticated attacker. The flaw carries a CVSS 3.1 base score of 7.5 and should move quickly through the patch queue wherever AD FS remains part of an organization’s authentication path.
Published by the Microsoft Security Response Center on July 14, 2026, the vulnerability is identified as a stack-based buffer overflow in AD FS. Microsoft’s assessment says exploitation can occur over a network, requires no privileges or user interaction, and can cause a high-impact loss of availability.
The National Vulnerability Database lists the issue as awaiting further enrichment but reproduces Microsoft’s technical classification and affected-version data. CISA’s initial assessment records no known exploitation while describing the attack as automatable, meaning administrators should not treat the absence of observed attacks as a reason to delay deployment.
CVE-2026-50411 is classified under CWE-121, stack-based buffer overflow. In practical terms, AD FS fails to handle certain attacker-controlled data safely, allowing a remote party to disrupt the service rather than steal information or execute code.
Microsoft’s CVSS vector is
Microsoft assigns no confidentiality or integrity impact. CVE-2026-50411 is therefore not documented as a route to token theft, arbitrary code execution, federation configuration changes, or direct domain compromise.
Availability is the concern. An attacker who can reach the vulnerable AD FS interface could reportedly force the affected service into a denial-of-service condition, potentially interrupting authentication for applications that continue to depend on the federation server.
That distinction does not make the bug harmless. In an AD FS deployment, availability is often inseparable from business access: users may be unable to authenticate to relying-party applications, externally published services, or older hybrid environments even though the underlying accounts and application data remain intact.
Microsoft has marked the report confidence as confirmed. That means the vendor considers the vulnerability’s existence and technical basis established, rather than speculative or based solely on an unverified third-party report.
Administrators should identify every AD FS farm member and every path through which federation endpoints can be reached. That inventory should include staging nodes, disaster-recovery systems, externally facing proxy servers, and federation infrastructure retained for a small number of legacy applications.
Redundancy may reduce the immediate impact of a single service failure, but it is not a substitute for patching. If each node in an AD FS farm processes the same malicious input incorrectly, an attacker may be able to repeat the request against multiple servers or continue causing disruption as load balancers move traffic between them.
The CVSS score also assumes low attack complexity. Microsoft has not publicly documented the malformed input or released proof-of-concept instructions, but the scoring indicates that exploitation does not rely on a race condition, unusual timing, or another difficult prerequisite.
Security teams should watch for repeated service crashes, unexpected AD FS restarts, sudden health-probe failures, and bursts of malformed traffic directed at federation endpoints. Those symptoms would not prove exploitation of CVE-2026-50411, but they would justify preserving logs and investigating the source traffic rather than treating the event as an ordinary application fault.
CISA’s initial SSVC information marks exploitation as “none” and technical impact as partial. As of July 15, 2026, there is no public indication that the vulnerability has been used in active attacks, and it has not been added to CISA’s Known Exploited Vulnerabilities catalog.
The relevant corrected build floors include:
For enterprise response, the systems actually running AD FS or supporting its published access path deserve priority. Endpoint-management teams should still deploy the July cumulative updates according to their normal security baseline, but identity administrators need to separately verify that every federation server has reached its corrected build.
Organizations running Windows Server 2012 or Windows Server 2012 R2 must also account for their servicing status. Those releases require the appropriate Extended Security Updates entitlement or another supported update arrangement, and their continued presence in an authentication architecture should already be considered a migration risk.
A restart may be required as part of cumulative-update installation. AD FS farms should therefore be patched in a controlled sequence that preserves authentication capacity, with each node removed from load balancing, updated, restarted, validated, and returned to service before work begins on the next node.
Post-update testing should cover both internal and external authentication paths. That includes sign-in through Web Application Proxy where deployed, token issuance to representative relying parties, certificate-dependent operations, and monitoring or load-balancer health checks.
The July 2026 Windows Server updates contain changes beyond CVE-2026-50411. Microsoft’s release notes also describe AD FS Distributed Key Manager permission hardening associated with CVE-2026-56155, alongside networking, Secure Boot, Remote Desktop and OLE Automation changes on applicable versions.
That wider update scope argues for a short validation cycle rather than blind installation across an entire farm. It does not justify postponing the security fix: the safer approach is to test one representative node promptly, observe federation and application behavior, and then complete deployment across the remaining servers.
Temporary network restrictions can reduce exposure where emergency patching is impossible. Administrators can limit federation endpoints to trusted networks, place additional filtering in front of external services, or disable an unnecessary publication path, but Microsoft has not presented those measures as complete remediation for the buffer overflow.
Installing the July 14 cumulative updates is the corrective action. Organizations should treat internet-reachable AD FS servers as the first deployment group, verify the fixed build on every farm member, and retain heightened monitoring until all federation and proxy nodes have been updated.
Published by the Microsoft Security Response Center on July 14, 2026, the vulnerability is identified as a stack-based buffer overflow in AD FS. Microsoft’s assessment says exploitation can occur over a network, requires no privileges or user interaction, and can cause a high-impact loss of availability.
The National Vulnerability Database lists the issue as awaiting further enrichment but reproduces Microsoft’s technical classification and affected-version data. CISA’s initial assessment records no known exploitation while describing the attack as automatable, meaning administrators should not treat the absence of observed attacks as a reason to delay deployment.
A Malformed Request Can Become an Authentication Outage
CVE-2026-50411 is classified under CWE-121, stack-based buffer overflow. In practical terms, AD FS fails to handle certain attacker-controlled data safely, allowing a remote party to disrupt the service rather than steal information or execute code.Microsoft’s CVSS vector is
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. That assessment gives administrators a concise picture of the exposure: the attack is network-based, has low complexity, requires no existing account, and does not depend on a user opening a file or visiting a website.Microsoft assigns no confidentiality or integrity impact. CVE-2026-50411 is therefore not documented as a route to token theft, arbitrary code execution, federation configuration changes, or direct domain compromise.
Availability is the concern. An attacker who can reach the vulnerable AD FS interface could reportedly force the affected service into a denial-of-service condition, potentially interrupting authentication for applications that continue to depend on the federation server.
That distinction does not make the bug harmless. In an AD FS deployment, availability is often inseparable from business access: users may be unable to authenticate to relying-party applications, externally published services, or older hybrid environments even though the underlying accounts and application data remain intact.
Microsoft has marked the report confidence as confirmed. That means the vendor considers the vulnerability’s existence and technical basis established, rather than speculative or based solely on an unverified third-party report.
Internet-Facing Federation Servers Carry the Immediate Risk
AD FS has historically been deployed with Web Application Proxy servers or equivalent reverse-proxy infrastructure to provide external authentication. Those systems are the obvious starting point for CVE-2026-50411 exposure reviews because the attack does not require credentials.Administrators should identify every AD FS farm member and every path through which federation endpoints can be reached. That inventory should include staging nodes, disaster-recovery systems, externally facing proxy servers, and federation infrastructure retained for a small number of legacy applications.
Redundancy may reduce the immediate impact of a single service failure, but it is not a substitute for patching. If each node in an AD FS farm processes the same malicious input incorrectly, an attacker may be able to repeat the request against multiple servers or continue causing disruption as load balancers move traffic between them.
The CVSS score also assumes low attack complexity. Microsoft has not publicly documented the malformed input or released proof-of-concept instructions, but the scoring indicates that exploitation does not rely on a race condition, unusual timing, or another difficult prerequisite.
Security teams should watch for repeated service crashes, unexpected AD FS restarts, sudden health-probe failures, and bursts of malformed traffic directed at federation endpoints. Those symptoms would not prove exploitation of CVE-2026-50411, but they would justify preserving logs and investigating the source traffic rather than treating the event as an ordinary application fault.
CISA’s initial SSVC information marks exploitation as “none” and technical impact as partial. As of July 15, 2026, there is no public indication that the vulnerability has been used in active attacks, and it has not been added to CISA’s Known Exploited Vulnerabilities catalog.
July Updates Establish the Safe Build Floor
Microsoft’s affected-product metadata spans supported Windows Server generations from Windows Server 2012 through Windows Server 2025. Server Core installations are included where applicable, so removing the graphical interface does not remove exposure to the underlying vulnerable component.The relevant corrected build floors include:
- Windows Server 2016 is updated to build 14393.9339 through KB5099535.
- Windows Server 2019 is updated to build 17763.9020 through KB5099538.
- Windows Server 2022 is updated to build 20348.5386 through KB5099540.
- Windows Server 2025 is updated to build 26100.33158 through KB5099536.
- Windows Server 2012 must reach build 9200.26226, while Windows Server 2012 R2 must reach build 9600.23291 through their applicable servicing channels.
For enterprise response, the systems actually running AD FS or supporting its published access path deserve priority. Endpoint-management teams should still deploy the July cumulative updates according to their normal security baseline, but identity administrators need to separately verify that every federation server has reached its corrected build.
Organizations running Windows Server 2012 or Windows Server 2012 R2 must also account for their servicing status. Those releases require the appropriate Extended Security Updates entitlement or another supported update arrangement, and their continued presence in an authentication architecture should already be considered a migration risk.
A restart may be required as part of cumulative-update installation. AD FS farms should therefore be patched in a controlled sequence that preserves authentication capacity, with each node removed from load balancing, updated, restarted, validated, and returned to service before work begins on the next node.
Patch Validation Matters More Than a Successful Deployment Status
A management console reporting that a July cumulative update was “installed” is not sufficient evidence that the federation environment is protected. Administrators should confirm the resulting OS build on each AD FS server and verify that nodes are again accepting requests after maintenance.Post-update testing should cover both internal and external authentication paths. That includes sign-in through Web Application Proxy where deployed, token issuance to representative relying parties, certificate-dependent operations, and monitoring or load-balancer health checks.
The July 2026 Windows Server updates contain changes beyond CVE-2026-50411. Microsoft’s release notes also describe AD FS Distributed Key Manager permission hardening associated with CVE-2026-56155, alongside networking, Secure Boot, Remote Desktop and OLE Automation changes on applicable versions.
That wider update scope argues for a short validation cycle rather than blind installation across an entire farm. It does not justify postponing the security fix: the safer approach is to test one representative node promptly, observe federation and application behavior, and then complete deployment across the remaining servers.
Temporary network restrictions can reduce exposure where emergency patching is impossible. Administrators can limit federation endpoints to trusted networks, place additional filtering in front of external services, or disable an unnecessary publication path, but Microsoft has not presented those measures as complete remediation for the buffer overflow.
Installing the July 14 cumulative updates is the corrective action. Organizations should treat internet-reachable AD FS servers as the first deployment group, verify the fixed build on every farm member, and retain heightened monitoring until all federation and proxy nodes have been updated.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com