CVE-2026-50424 allows an unauthenticated attacker to knock a vulnerable Windows Server 2025 domain controller offline by sending malicious network traffic. Microsoft fixed the flaw in the July 14, 2026 security update, making KB5099536 and OS build 26100.33158 the immediate deployment target for affected domain controllers.
Detailed in Microsoft’s Security Update Guide and corroborated by the National Vulnerability Database, the vulnerability is an untrusted pointer dereference tracked as CWE-822. Microsoft rates it Important with a CVSS 3.1 base score of 7.5 and a temporal score of 6.5.
There is no indication that CVE-2026-50424 was publicly disclosed or exploited before the patch arrived. SANS Internet Storm Center’s July 2026 Patch Tuesday inventory also records no known disclosure or exploitation, but the attack characteristics leave little room for complacency: exploitation is remote, low-complexity, requires no privileges, and needs no user interaction.
The CVSS vector is
That distinction matters technically, but it offers limited comfort when the target is a domain controller. Active Directory Domain Services sits behind user and computer authentication, Group Policy processing, Kerberos ticket issuance, LDAP queries, service discovery, and many application dependencies that administrators may not immediately associate with a particular DC.
A denial-of-service attack against one domain controller should not take down a properly designed domain with multiple healthy, correctly placed replicas. It can still create substantial disruption if the affected server holds operations master roles, serves a poorly connected site, supplies DNS to local clients, or is the only Global Catalog available to an application or location.
The attack’s network classification does not necessarily mean that every vulnerable DC is directly exposed to the public internet. It means an attacker can reach the vulnerable component over a network rather than requiring local execution. A compromised workstation, malicious device, breached VPN account, or attacker already positioned inside a server segment could therefore provide the necessary path.
Microsoft’s public description does not identify the precise protocol, packet structure, service process, or recovery behavior involved. It is consequently unclear from the advisory alone whether exploitation crashes a service, forces the operating system to restart, leaves the DC unresponsive, or permits repeated requests to keep the server unavailable.
That missing detail should discourage speculative firewall rules. Without a confirmed port or protocol, administrators cannot safely assume that blocking one familiar Active Directory service provides an effective workaround.
Microsoft’s CVSS assessment says the attacker does not need a domain account, elevated permissions, or cooperation from a signed-in user. Attack complexity is also Low, indicating that exploitation does not depend on an unusually narrow race condition or extensive preparation outside the attacker’s control.
CISA’s initial Stakeholder-Specific Vulnerability Categorization data marks the attack as automatable, with partial technical impact and no known exploitation at publication. That combination is relevant to defenders: even when a denial-of-service flaw does not provide code execution, a repeatable network trigger can be incorporated into scanning or disruption tools once researchers or attackers reconstruct the patched code.
The advisory’s confirmed report-confidence metric means Microsoft has verified the vulnerability and supplied an official correction. It does not mean that proof-of-concept code is publicly available, nor does it disclose enough technical information to establish how quickly a working exploit might appear.
CVE-2026-50424 should therefore be treated as a credible availability vulnerability with a patch, not as evidence of an ongoing domain compromise. Organizations investigating unexplained DC outages should retain crash dumps, Windows Error Reporting records, network captures, and System, Directory Service, DNS Server, and Security event logs rather than assuming every failure is exploitation.
Windows 11 versions 24H2, 25H2, and 26H1 also appear in the affected-product metadata because they share Windows components and servicing code. Ordinary Windows 11 PCs cannot be promoted to Active Directory domain controllers, so their appearance should not be interpreted as equivalent operational exposure.
For supported Windows 11 24H2 and 25H2 systems, KB5101650 moves the operating systems to builds 26100.8875 and 26200.8875. Windows 11 26H1 receives the July security baseline through KB5101649 and build 28000.2525, although early CVE metadata contains an apparent boundary discrepancy referencing the older 28000.2269 build.
The immediate infrastructure concern remains Windows Server 2025 machines running the Active Directory Domain Services role. Microsoft’s published affected list does not currently identify Windows Server 2022, Windows Server 2019, or Windows Server 2016 for this specific CVE, although those releases have their own July cumulative updates and should still be patched for the month’s other vulnerabilities.
Administrators can verify a Windows Server 2025 installation with
Even so, domain controllers should be updated as a coordinated service rather than as an undifferentiated batch of Windows servers. Rebooting every DC simultaneously can reproduce the availability failure that the patch is meant to prevent.
A sensible deployment sequence is to update one redundant DC first, confirm that it returns to service, and then proceed site by site while preserving authentication and DNS capacity. Before moving to the next server, administrators should check Active Directory replication, SYSVOL and NETLOGON shares, DNS registration, Kerberos authentication, Global Catalog availability, and any applications pinned to specific LDAP endpoints.
Network controls still provide useful defense in depth. Domain-controller ports should be reachable only from systems and segments that genuinely require them, and perimeter exposure should be eliminated. Segmentation cannot replace the update because an attacker who compromises an allowed internal endpoint may still be able to reach the vulnerable service.
The lack of known exploitation on July 14 lowers the case for an emergency shutdown or indiscriminate isolation of healthy DCs. It does not justify leaving Windows Server 2025 domain controllers below build 26100.33158, particularly when the flaw is unauthenticated, network-accessible, low-complexity, and potentially automatable.
The next meaningful milestone is broader technical disclosure: a proof of concept, crash analysis, or Microsoft revision identifying the affected protocol would sharpen detection and mitigation options. Until then, the reliable action is straightforward—deploy KB5099536 through a redundancy-aware maintenance plan and verify every Windows Server 2025 domain controller reaches build 26100.33158.
Detailed in Microsoft’s Security Update Guide and corroborated by the National Vulnerability Database, the vulnerability is an untrusted pointer dereference tracked as CWE-822. Microsoft rates it Important with a CVSS 3.1 base score of 7.5 and a temporal score of 6.5.
There is no indication that CVE-2026-50424 was publicly disclosed or exploited before the patch arrived. SANS Internet Storm Center’s July 2026 Patch Tuesday inventory also records no known disclosure or exploitation, but the attack characteristics leave little room for complacency: exploitation is remote, low-complexity, requires no privileges, and needs no user interaction.
Availability Is the Only CVSS Impact — and the Entire Operational Risk
The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. In practical terms, Microsoft is not describing a route to steal Active Directory data, modify directory objects, or execute code on the server. The documented effect is a complete loss of availability for the affected component.That distinction matters technically, but it offers limited comfort when the target is a domain controller. Active Directory Domain Services sits behind user and computer authentication, Group Policy processing, Kerberos ticket issuance, LDAP queries, service discovery, and many application dependencies that administrators may not immediately associate with a particular DC.
A denial-of-service attack against one domain controller should not take down a properly designed domain with multiple healthy, correctly placed replicas. It can still create substantial disruption if the affected server holds operations master roles, serves a poorly connected site, supplies DNS to local clients, or is the only Global Catalog available to an application or location.
The attack’s network classification does not necessarily mean that every vulnerable DC is directly exposed to the public internet. It means an attacker can reach the vulnerable component over a network rather than requiring local execution. A compromised workstation, malicious device, breached VPN account, or attacker already positioned inside a server segment could therefore provide the necessary path.
Microsoft’s public description does not identify the precise protocol, packet structure, service process, or recovery behavior involved. It is consequently unclear from the advisory alone whether exploitation crashes a service, forces the operating system to restart, leaves the DC unresponsive, or permits repeated requests to keep the server unavailable.
That missing detail should discourage speculative firewall rules. Without a confirmed port or protocol, administrators cannot safely assume that blocking one familiar Active Directory service provides an effective workaround.
The Pointer Error Requires No Credentials
An untrusted pointer dereference occurs when software uses a pointer value derived from input that has not been adequately validated. Depending on the implementation and memory state, dereferencing that value can cause an exception or another fatal condition that terminates the process handling the request.Microsoft’s CVSS assessment says the attacker does not need a domain account, elevated permissions, or cooperation from a signed-in user. Attack complexity is also Low, indicating that exploitation does not depend on an unusually narrow race condition or extensive preparation outside the attacker’s control.
CISA’s initial Stakeholder-Specific Vulnerability Categorization data marks the attack as automatable, with partial technical impact and no known exploitation at publication. That combination is relevant to defenders: even when a denial-of-service flaw does not provide code execution, a repeatable network trigger can be incorporated into scanning or disruption tools once researchers or attackers reconstruct the patched code.
The advisory’s confirmed report-confidence metric means Microsoft has verified the vulnerability and supplied an official correction. It does not mean that proof-of-concept code is publicly available, nor does it disclose enough technical information to establish how quickly a working exploit might appear.
CVE-2026-50424 should therefore be treated as a credible availability vulnerability with a patch, not as evidence of an ongoing domain compromise. Organizations investigating unexplained DC outages should retain crash dumps, Windows Error Reporting records, network captures, and System, Directory Service, DNS Server, and Security event logs rather than assuming every failure is exploitation.
Windows Server 2025 Is the Critical Patch Target
The initial structured CVE record lists Windows Server 2025 and Windows Server 2025 Server Core installations as affected below build 26100.33158. Microsoft supplies that corrected build through KB5099536, released July 14 as the monthly cumulative security update.Windows 11 versions 24H2, 25H2, and 26H1 also appear in the affected-product metadata because they share Windows components and servicing code. Ordinary Windows 11 PCs cannot be promoted to Active Directory domain controllers, so their appearance should not be interpreted as equivalent operational exposure.
For supported Windows 11 24H2 and 25H2 systems, KB5101650 moves the operating systems to builds 26100.8875 and 26200.8875. Windows 11 26H1 receives the July security baseline through KB5101649 and build 28000.2525, although early CVE metadata contains an apparent boundary discrepancy referencing the older 28000.2269 build.
The immediate infrastructure concern remains Windows Server 2025 machines running the Active Directory Domain Services role. Microsoft’s published affected list does not currently identify Windows Server 2022, Windows Server 2019, or Windows Server 2016 for this specific CVE, although those releases have their own July cumulative updates and should still be patched for the month’s other vulnerabilities.
Administrators can verify a Windows Server 2025 installation with
winver, PowerShell, endpoint-management inventory, or their vulnerability scanner. The defensible threshold is OS build 26100.33158 or later, rather than merely seeing a July date in update history.Patch the Domain Without Creating Your Own Outage
KB5099536 is cumulative and available through Windows Update, Windows Update for Business, Microsoft Update Catalog, and Windows Server Update Services. Microsoft’s release notes list a known WSUS reporting limitation inherited from earlier updates, but they do not currently identify a new domain-controller failure associated with the July package.Even so, domain controllers should be updated as a coordinated service rather than as an undifferentiated batch of Windows servers. Rebooting every DC simultaneously can reproduce the availability failure that the patch is meant to prevent.
A sensible deployment sequence is to update one redundant DC first, confirm that it returns to service, and then proceed site by site while preserving authentication and DNS capacity. Before moving to the next server, administrators should check Active Directory replication, SYSVOL and NETLOGON shares, DNS registration, Kerberos authentication, Global Catalog availability, and any applications pinned to specific LDAP endpoints.
Network controls still provide useful defense in depth. Domain-controller ports should be reachable only from systems and segments that genuinely require them, and perimeter exposure should be eliminated. Segmentation cannot replace the update because an attacker who compromises an allowed internal endpoint may still be able to reach the vulnerable service.
The lack of known exploitation on July 14 lowers the case for an emergency shutdown or indiscriminate isolation of healthy DCs. It does not justify leaving Windows Server 2025 domain controllers below build 26100.33158, particularly when the flaw is unauthenticated, network-accessible, low-complexity, and potentially automatable.
The next meaningful milestone is broader technical disclosure: a proof of concept, crash analysis, or Microsoft revision identifying the affected protocol would sharpen detection and mitigation options. Until then, the reliable action is straightforward—deploy KB5099536 through a redundancy-aware maintenance plan and verify every Windows Server 2025 domain controller reaches build 26100.33158.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com
- Related coverage: tomshardware.com
Microsoft's April patch puts Windows domain controllers into reboot loops — third known issue from KB5082063 is affecting Windows Server 2016 through 2025 | Tom's Hardware
Microsoft has confirmed the issuewww.tomshardware.com