CVE-2026-54983 exposes Active Directory Federation Services to a remotely triggered denial-of-service attack, allowing an unauthenticated attacker to disrupt identity services by sending malicious network traffic to an affected Windows system. Microsoft released the fix on July 14, 2026, as part of its monthly Windows security updates.
Detailed in the Microsoft Security Response Center’s Security Update Guide, the vulnerability is a stack-based buffer overflow in Active Directory Federation Services, better known as AD FS. Microsoft assigned it a CVSS 3.1 base score of 7.5, reflecting a network-accessible flaw that requires neither privileges nor user interaction and can have a high impact on service availability.
The vulnerability does not provide a documented route to data theft, privilege escalation, or remote code execution. Its immediate risk is operational: an attacker could make an AD FS deployment unavailable, potentially preventing users and applications from completing federated authentication.
AD FS is commonly deployed to provide single sign-on between an organization’s Active Directory environment and external applications, partner networks, or cloud services. Although Microsoft Entra ID has displaced it in many newer deployments, AD FS remains embedded in hybrid identity architectures and older enterprise applications.
That placement makes availability unusually important. An outage on an AD FS farm can interrupt access to every application that depends on it, even when the applications, domain controllers, and user accounts remain healthy.
Microsoft’s description says an unauthorized attacker can exploit CVE-2026-54983 over a network. The CVSS score indicates low attack complexity, no required authentication, and no need to persuade a user to open a file or visit a page. The reported impact is limited to availability, but that is precisely the security property an identity provider is expected to preserve.
The weakness is classified as CWE-121, a stack-based buffer overflow. This class of bug occurs when software writes more data into a stack buffer than the buffer was designed to hold, potentially corrupting adjacent memory and terminating the affected process.
Microsoft currently describes the outcome as denial of service. Administrators should not reinterpret the generic risks associated with buffer overflows as confirmation of code execution; no such impact has been documented for CVE-2026-54983. The practical scenario supported by the available evidence is a remotely induced failure of the vulnerable AD FS component.
The records additionally identify client Windows versions, including Windows 10 Version 1607, Windows 10 Version 1809, Windows 10 21H2 and 22H2, Windows 11 24H2, Windows 11 25H2, and Windows 11 26H1. That does not mean every ordinary Windows desktop is operating as a federation server or is equally exposed.
Security teams should therefore avoid turning the raw affected-product list into a flat priority queue. The systems that deserve immediate attention are servers with the Active Directory Federation Services role installed, particularly nodes reachable from the internet or an untrusted network.
The July fixes establish the following build thresholds in the published vulnerability records:
Administrators should verify the actual KB and build applicable to each operating-system edition through Windows Update, Windows Server Update Services, Microsoft Configuration Manager, or their normal patch-management platform. Build compliance is more reliable than merely checking whether an update installation job reported success.
Before starting, administrators should identify the primary federation server, secondary nodes, Web Application Proxy servers, and load-balancer health checks. They should also confirm that removing one node from rotation does not push the remaining servers beyond their expected authentication capacity.
A sensible deployment sequence is to patch a secondary AD FS node first, validate sign-in flows, and then proceed through the rest of the farm. Tests should cover more than the AD FS sign-in page: organizations may have separate claims rules, multifactor authentication adapters, relying-party trusts, certificate-authentication paths, and legacy applications that exercise different parts of the service.
Web Application Proxy servers should be reviewed as part of the same maintenance plan, even though the vulnerable component is AD FS. Extranet authentication depends on the complete publishing path, and an apparent federation failure after patching may instead come from a proxy, certificate, load balancer, or health-probe issue.
Monitoring should continue after installation. Operations teams should watch the AD FS Admin event log, service restarts, authentication latency, failed token issuance, unusual request spikes, and nodes repeatedly entering or leaving load-balancer rotation.
Network controls can reduce exposure but should not be treated as a substitute for the update. Internet-facing AD FS endpoints must accept unauthenticated traffic to perform their intended function, which limits the value of simple access-control rules. Rate limiting, reverse-proxy filtering, and detection of abnormal request volumes may provide resilience, but they cannot be assumed to recognize the malformed input responsible for the overflow.
Redundancy also does not eliminate the vulnerability. If every node in a farm runs the same affected code and accepts the same malicious traffic, an attacker may be able to repeatedly target nodes as they return to service. High availability helps absorb isolated failure; it is not a security boundary against a reproducible software defect.
Microsoft’s confirmed reporting status means the vulnerability’s existence and technical classification are not speculative. At the time of publication, however, publicly available material remains limited and does not provide packet-level details or a proof-of-concept exploit.
That information gap favors prompt patching rather than experimentation on production systems. Organizations should inventory AD FS role installations, update internet-facing farms first, preserve capacity through a rolling deployment, and verify that each node has reached its July 14, 2026 servicing baseline.
Detailed in the Microsoft Security Response Center’s Security Update Guide, the vulnerability is a stack-based buffer overflow in Active Directory Federation Services, better known as AD FS. Microsoft assigned it a CVSS 3.1 base score of 7.5, reflecting a network-accessible flaw that requires neither privileges nor user interaction and can have a high impact on service availability.
The vulnerability does not provide a documented route to data theft, privilege escalation, or remote code execution. Its immediate risk is operational: an attacker could make an AD FS deployment unavailable, potentially preventing users and applications from completing federated authentication.
A Network Attack Against the Sign-In Tier
AD FS is commonly deployed to provide single sign-on between an organization’s Active Directory environment and external applications, partner networks, or cloud services. Although Microsoft Entra ID has displaced it in many newer deployments, AD FS remains embedded in hybrid identity architectures and older enterprise applications.That placement makes availability unusually important. An outage on an AD FS farm can interrupt access to every application that depends on it, even when the applications, domain controllers, and user accounts remain healthy.
Microsoft’s description says an unauthorized attacker can exploit CVE-2026-54983 over a network. The CVSS score indicates low attack complexity, no required authentication, and no need to persuade a user to open a file or visit a page. The reported impact is limited to availability, but that is precisely the security property an identity provider is expected to preserve.
The weakness is classified as CWE-121, a stack-based buffer overflow. This class of bug occurs when software writes more data into a stack buffer than the buffer was designed to hold, potentially corrupting adjacent memory and terminating the affected process.
Microsoft currently describes the outcome as denial of service. Administrators should not reinterpret the generic risks associated with buffer overflows as confirmation of code execution; no such impact has been documented for CVE-2026-54983. The practical scenario supported by the available evidence is a remotely induced failure of the vulnerable AD FS component.
The Product List Is Broader Than the Real Deployment Risk
Microsoft’s vulnerability metadata covers a wide range of Windows releases, including Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022, and Windows Server 2025. Server Core installations are also represented for several releases.The records additionally identify client Windows versions, including Windows 10 Version 1607, Windows 10 Version 1809, Windows 10 21H2 and 22H2, Windows 11 24H2, Windows 11 25H2, and Windows 11 26H1. That does not mean every ordinary Windows desktop is operating as a federation server or is equally exposed.
Security teams should therefore avoid turning the raw affected-product list into a flat priority queue. The systems that deserve immediate attention are servers with the Active Directory Federation Services role installed, particularly nodes reachable from the internet or an untrusted network.
The July fixes establish the following build thresholds in the published vulnerability records:
- Windows Server 2016 and Windows 10 Version 1607 move to build 14393.9339.
- Windows Server 2019 and Windows 10 Version 1809 move to build 17763.9020.
- Windows Server 2022 moves to build 20348.5386.
- Windows Server 2025 moves to build 26100.33158.
- Windows 11 24H2 moves to build 26100.8875.
- Windows 11 25H2 moves to build 26200.8875.
- Windows 11 26H1 moves to build 28000.2525.
- Windows 10 22H2 moves to build 19045.7548.
Administrators should verify the actual KB and build applicable to each operating-system edition through Windows Update, Windows Server Update Services, Microsoft Configuration Manager, or their normal patch-management platform. Build compliance is more reliable than merely checking whether an update installation job reported success.
Patch the Farm Without Creating Your Own Outage
A denial-of-service vulnerability in a redundant AD FS farm does not justify patching every federation server simultaneously. The safer approach is a rolling deployment that preserves authentication capacity while each node is updated and restarted.Before starting, administrators should identify the primary federation server, secondary nodes, Web Application Proxy servers, and load-balancer health checks. They should also confirm that removing one node from rotation does not push the remaining servers beyond their expected authentication capacity.
A sensible deployment sequence is to patch a secondary AD FS node first, validate sign-in flows, and then proceed through the rest of the farm. Tests should cover more than the AD FS sign-in page: organizations may have separate claims rules, multifactor authentication adapters, relying-party trusts, certificate-authentication paths, and legacy applications that exercise different parts of the service.
Web Application Proxy servers should be reviewed as part of the same maintenance plan, even though the vulnerable component is AD FS. Extranet authentication depends on the complete publishing path, and an apparent federation failure after patching may instead come from a proxy, certificate, load balancer, or health-probe issue.
Monitoring should continue after installation. Operations teams should watch the AD FS Admin event log, service restarts, authentication latency, failed token issuance, unusual request spikes, and nodes repeatedly entering or leaving load-balancer rotation.
Network controls can reduce exposure but should not be treated as a substitute for the update. Internet-facing AD FS endpoints must accept unauthenticated traffic to perform their intended function, which limits the value of simple access-control rules. Rate limiting, reverse-proxy filtering, and detection of abnormal request volumes may provide resilience, but they cannot be assumed to recognize the malformed input responsible for the overflow.
Availability Risk Makes AD FS the Priority
CVE-2026-54983 carries a lower headline impact than a remote-code-execution vulnerability, but its placement in an authentication service changes the operational calculation. A successful attack may not compromise a domain, yet it can still halt access to Microsoft 365, software-as-a-service platforms, partner applications, and internal services that rely on federated tokens.Redundancy also does not eliminate the vulnerability. If every node in a farm runs the same affected code and accepts the same malicious traffic, an attacker may be able to repeatedly target nodes as they return to service. High availability helps absorb isolated failure; it is not a security boundary against a reproducible software defect.
Microsoft’s confirmed reporting status means the vulnerability’s existence and technical classification are not speculative. At the time of publication, however, publicly available material remains limited and does not provide packet-level details or a proof-of-concept exploit.
That information gap favors prompt patching rather than experimentation on production systems. Organizations should inventory AD FS role installations, update internet-facing farms first, preserve capacity through a rolling deployment, and verify that each node has reached its July 14, 2026 servicing baseline.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com
- Related coverage: aha.org
- Related coverage: hkcert.org
Microsoft Active Directory Federation Services Denial of Service Vulnerability | HKCERT
HKCERT is the centre for coordinating computer security incident response for local enterprises and Internet Users. It disseminates information, provides advices on preventive measures against security threats and promotes information security awareness.www.hkcert.org