CVE-2026-54119 is a remotely triggerable Windows Active Directory denial-of-service vulnerability that requires no authentication or user interaction, giving administrators a clear reason to prioritize Microsoft’s July 14, 2026 security updates on domain controllers and other systems exposing directory services.
Microsoft rates the flaw Important, with a CVSS 3.1 score of 7.5. Detailed in the Microsoft Security Response Center’s July security release, the vulnerability can force Active Directory into an infinite loop, consuming availability until the affected service or system is recovered.
The published CVSS vector describes a network-accessible, low-complexity attack requiring neither privileges nor user action. Microsoft and the CVE record describe no impact on confidentiality or integrity, but assign the maximum rating to availability impact.
Zero Day Initiative’s review of the July 2026 updates lists CVE-2026-54119 as neither publicly disclosed nor exploited in the wild at release time. That lowers the immediate threat compared with an active zero-day, but it does not make an unauthenticated denial-of-service path into identity infrastructure safe to defer.
Microsoft classifies CVE-2026-54119 under CWE-835, an unreachable exit condition more commonly described as an infinite loop. An unauthorized attacker can send network traffic that causes vulnerable Active Directory code to enter a processing path from which it does not exit normally.
The available advisory information does not identify the exact protocol operation, packet structure, port, or Active Directory interface involved. It also does not state whether exploitation crashes a process, exhausts a processor core, stalls request handling, or requires a reboot to restore service. Administrators should therefore avoid building narrowly targeted firewall signatures from the limited public description.
The practical outcome is clearer than the root cause: a successful attack can deny service without first obtaining domain credentials. On a domain controller, degraded Active Directory availability can affect far more than directory queries. Kerberos authentication, LDAP-dependent applications, Group Policy processing, computer logons and services using domain accounts can all depend on reachable, responsive domain controllers.
Redundant domain controllers reduce the effect of losing one server, but they are not a substitute for patching. If the same unauthenticated request can be directed at every vulnerable controller, an attacker may be able to repeat the condition across multiple sites or recovery attempts. Microsoft has not yet published enough technical detail to determine how easily the attack scales, so that scenario remains a risk assessment rather than a confirmed exploitation technique.
The fixed build thresholds published with the CVE include:
That broad listing means administrators should not assume the exposure is limited solely to machines promoted as domain controllers. Microsoft labels the affected component “Windows Active Directory,” but the currently public description does not precisely explain why client SKUs are included or which installed services make a particular endpoint reachable.
For enterprise remediation, the safest approach is to use Microsoft’s applicability rules rather than trying to infer safety from a machine’s role. Deploy the July cumulative security update wherever it is offered, while placing domain controllers, Active Directory Lightweight Directory Services hosts and systems accepting directory-related traffic near the front of the rollout.
Before installation, administrators should verify that recent System State backups are usable and that recovery credentials and procedures are accessible without depending on the domain being repaired. After each reboot, checks should cover
Monitoring deserves equal attention because Microsoft has not documented a unique event ID or indicator for exploitation. Security teams should look for unexplained CPU saturation, directory-service hangs, abrupt loss of LDAP or Kerberos responsiveness, repeated service recovery actions and clusters of connection attempts immediately preceding an outage. These symptoms are not specific enough to prove exploitation, but preserving packet captures and Windows event logs may help distinguish an attack from an ordinary Active Directory failure.
Network controls can reduce exposure while change windows are being arranged. Domain-controller ports should not be reachable from the public internet, and internal access should be restricted to networks and systems that genuinely require directory services. Segmentation between user, server and management tiers can limit who can send arbitrary traffic to domain controllers, although it cannot eliminate risk from a compromised device already inside an allowed segment.
Microsoft’s CVSS assessment says attack complexity is low, so administrators should not count on unusual timing, race conditions or extensive preparation to protect an unpatched server. The absence of known exploitation on July 14 is a point-in-time status, not evidence that attackers will struggle to reproduce the flaw once updates are compared with vulnerable binaries.
That disclosure pattern leaves defenders with fewer options than they would have for a vulnerability tied to a specific optional feature or port. Disabling Active Directory is not a realistic mitigation for a domain controller, and broad blocking of directory protocols can cause the same business outage that administrators are trying to prevent.
It also means public exploitability assessments could change as researchers analyze the July binaries. A denial-of-service flaw based on an infinite loop may be simpler to demonstrate than a memory-corruption vulnerability requiring reliable code execution, although Microsoft’s limited description is not enough to predict when or whether public exploit code will appear.
For now, the July 14 security update is the corrective action. Organizations should verify installed build numbers rather than relying only on deployment-console success messages, complete staged domain-controller servicing, and keep watch for any Microsoft revision that identifies a specific protocol, workaround or exploitation signal. The next meaningful milestone is not a fuller vulnerability score; it is getting every reachable Active Directory system across the fixed-build boundary before an unauthenticated service disruption becomes a repeatable tool.
Microsoft rates the flaw Important, with a CVSS 3.1 score of 7.5. Detailed in the Microsoft Security Response Center’s July security release, the vulnerability can force Active Directory into an infinite loop, consuming availability until the affected service or system is recovered.
The published CVSS vector describes a network-accessible, low-complexity attack requiring neither privileges nor user action. Microsoft and the CVE record describe no impact on confidentiality or integrity, but assign the maximum rating to availability impact.
Zero Day Initiative’s review of the July 2026 updates lists CVE-2026-54119 as neither publicly disclosed nor exploited in the wild at release time. That lowers the immediate threat compared with an active zero-day, but it does not make an unauthenticated denial-of-service path into identity infrastructure safe to defer.
An Infinite Loop Becomes an Identity Outage
Microsoft classifies CVE-2026-54119 under CWE-835, an unreachable exit condition more commonly described as an infinite loop. An unauthorized attacker can send network traffic that causes vulnerable Active Directory code to enter a processing path from which it does not exit normally.The available advisory information does not identify the exact protocol operation, packet structure, port, or Active Directory interface involved. It also does not state whether exploitation crashes a process, exhausts a processor core, stalls request handling, or requires a reboot to restore service. Administrators should therefore avoid building narrowly targeted firewall signatures from the limited public description.
The practical outcome is clearer than the root cause: a successful attack can deny service without first obtaining domain credentials. On a domain controller, degraded Active Directory availability can affect far more than directory queries. Kerberos authentication, LDAP-dependent applications, Group Policy processing, computer logons and services using domain accounts can all depend on reachable, responsive domain controllers.
Redundant domain controllers reduce the effect of losing one server, but they are not a substitute for patching. If the same unauthenticated request can be directed at every vulnerable controller, an attacker may be able to repeat the condition across multiple sites or recovery attempts. Microsoft has not yet published enough technical detail to determine how easily the attack scales, so that scenario remains a risk assessment rather than a confirmed exploitation technique.
July Builds Mark the Security Boundary
Microsoft’s affected-product data reaches from older supported Windows releases through its current client and server platforms. The list includes Windows Server 2012 and 2012 R2 under Extended Security Updates, Windows Server 2016, Windows Server 2019, Windows Server 2022 and Windows Server 2025. Server Core installations are also covered where Microsoft lists them separately.The fixed build thresholds published with the CVE include:
- Windows Server 2012 systems must be updated to build 6.2.9200.26226 or later.
- Windows Server 2012 R2 systems must reach build 6.3.9600.23291 or later.
- Windows Server 2016 must reach build 10.0.14393.9339 or later.
- Windows Server 2019 must reach build 10.0.17763.9020 or later.
- Windows Server 2022 must reach build 10.0.20348.5386 or later.
- Windows Server 2025 must reach build 10.0.26100.33158 or later.
That broad listing means administrators should not assume the exposure is limited solely to machines promoted as domain controllers. Microsoft labels the affected component “Windows Active Directory,” but the currently public description does not precisely explain why client SKUs are included or which installed services make a particular endpoint reachable.
For enterprise remediation, the safest approach is to use Microsoft’s applicability rules rather than trying to infer safety from a machine’s role. Deploy the July cumulative security update wherever it is offered, while placing domain controllers, Active Directory Lightweight Directory Services hosts and systems accepting directory-related traffic near the front of the rollout.
Patch Domain Controllers Without Creating a Different Outage
The unauthenticated network vector argues for speed, but domain-controller servicing still requires controlled sequencing. Organizations should patch one controller at a time in each domain and site, confirm replication and authentication health, and only then proceed to the next system.Before installation, administrators should verify that recent System State backups are usable and that recovery credentials and procedures are accessible without depending on the domain being repaired. After each reboot, checks should cover
dcdiag, repadmin /replsummary, DNS registration, SYSVOL and NETLOGON shares, Kerberos ticket issuance and representative LDAP binds from dependent applications.Monitoring deserves equal attention because Microsoft has not documented a unique event ID or indicator for exploitation. Security teams should look for unexplained CPU saturation, directory-service hangs, abrupt loss of LDAP or Kerberos responsiveness, repeated service recovery actions and clusters of connection attempts immediately preceding an outage. These symptoms are not specific enough to prove exploitation, but preserving packet captures and Windows event logs may help distinguish an attack from an ordinary Active Directory failure.
Network controls can reduce exposure while change windows are being arranged. Domain-controller ports should not be reachable from the public internet, and internal access should be restricted to networks and systems that genuinely require directory services. Segmentation between user, server and management tiers can limit who can send arbitrary traffic to domain controllers, although it cannot eliminate risk from a compromised device already inside an allowed segment.
Microsoft’s CVSS assessment says attack complexity is low, so administrators should not count on unusual timing, race conditions or extensive preparation to protect an unpatched server. The absence of known exploitation on July 14 is a point-in-time status, not evidence that attackers will struggle to reproduce the flaw once updates are compared with vulnerable binaries.
Sparse Disclosure Raises the Value of Fast Servicing
CVE-2026-54119 arrived with enough information to establish that the vulnerability exists, is remotely reachable and can have a high availability impact. It did not arrive with a proof of concept, protocol-level explanation or operational workaround.That disclosure pattern leaves defenders with fewer options than they would have for a vulnerability tied to a specific optional feature or port. Disabling Active Directory is not a realistic mitigation for a domain controller, and broad blocking of directory protocols can cause the same business outage that administrators are trying to prevent.
It also means public exploitability assessments could change as researchers analyze the July binaries. A denial-of-service flaw based on an infinite loop may be simpler to demonstrate than a memory-corruption vulnerability requiring reliable code execution, although Microsoft’s limited description is not enough to predict when or whether public exploit code will appear.
For now, the July 14 security update is the corrective action. Organizations should verify installed build numbers rather than relying only on deployment-console success messages, complete staged domain-controller servicing, and keep watch for any Microsoft revision that identifies a specific protocol, workaround or exploitation signal. The next meaningful milestone is not a fuller vulnerability score; it is getting every reachable Active Directory system across the fixed-build boundary before an unauthenticated service disruption becomes a repeatable tool.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com
- Related coverage: advisories.gitlab.com
Jenkins Active Directory Plugin follows LDAP referrals by default | GitLab Advisory Database (GLAD)
CVE-2026-48918 Jenkins Active Directory Plugin follows LDAP referrals by default: Jenkins Active Directory Plugin 2.41 and earlier follows LDAP referrals from the configured Active Directory server by default. …advisories.gitlab.com - Related coverage: tomshardware.com
Windows Server vulnerability can grant system privileges with just a malformed packet — domain controllers are being exploited in the wild | Tom's Hardware
System administrators, run the May 12 patch immediately if you haven't already.www.tomshardware.com