KB5101649 Fixes CVE-2026-58529 on Windows 11 26H1

Microsoft’s July 14 security release fixes CVE-2026-58529, an Active Directory Federation Services (AD FS) information-disclosure flaw tracked as an out-of-bounds read. The immediate action for affected Windows 11 version 26H1 devices is to install KB5101649, which raises the OS to Build 28000.2525; Microsoft’s CVE record marks earlier 28000 builds as vulnerable.
The issue carries a CVSS 3.1 base score of 7.1, rated High. Microsoft describes an authorized attacker disclosing information over a network, which means this is not a drive-by compromise of an unauthenticated internet user—but it can matter sharply in environments where lower-privileged accounts have access to federation infrastructure or its surrounding services.
Microsoft published the advisory on July 14, 2026, as part of its monthly security release. The National Vulnerability Database has received the Microsoft record but, as of July 15, is still awaiting its own enrichment and independent scoring analysis.

Infographic shows a Windows 11 security update, memory disclosure risk, and identity federation protections.The Build Number Is the Deployment Line​

The affected range is unusually specific: Windows 11 version 26H1, beginning at Build 28000.0 and ending before Build 28000.2525, on both x64 and ARM64 systems. That makes KB5101649—the July cumulative update delivering Build 28000.2525—the practical remediation target for administrators.
For organizations using Windows Update for Business, Autopatch, WSUS, Microsoft Configuration Manager, or third-party patch tooling, the verification point is straightforward: systems should report Build 28000.2525 or later after deployment. The Windows build number is more useful here than relying on a dashboard’s generic “July update installed” status, especially where update rings or deferrals can leave devices on older cumulative releases.
Microsoft has described Windows 11 26H1 as a platform-focused release for select newer hardware, rather than the broad annual Windows feature update. That limits the likely desktop population exposed to this particular CVE. But the advisory explicitly names both ARM64 and x64 platforms, so administrators should not assume the issue is confined to Snapdragon-based systems.
The update is cumulative. Organizations that are already behind on 26H1 servicing do not need a chain of intermediary patches; deploying the current July cumulative update should bring the device to the fixed build and include prior quality and security fixes.

ADFS in the Name, Windows 11 in the Scope​

The most notable detail is the tension between the component named in the advisory and the product scope currently listed in the CVE data. AD FS is commonly associated with Windows Server-based identity deployments, providing claims-based authentication and federation for on-premises applications, cloud services, and partner organizations. Yet Microsoft’s published affected-product entry presently lists only Windows 11 version 26H1.
That does not justify assuming that every Windows Server-hosted AD FS deployment is unaffected. It does mean the published advisory, at this stage, does not identify a Windows Server build range for CVE-2026-58529. Security teams should treat that distinction carefully: patch the explicitly affected Windows 11 26H1 systems, then validate their AD FS estate and continue monitoring Microsoft’s Security Update Guide for any scope correction or expansion.
This kind of mismatch can arise when a vulnerable code path is present in a shared Windows component, a management or client-facing feature, or an optional configuration rather than the core server role administrators normally picture when they hear “AD FS.” Microsoft has not published technical exploitation details beyond the out-of-bounds read classification, so there is not enough evidence to map the flaw confidently to a particular AD FS endpoint, token workflow, or service configuration.
That restraint matters. It would be premature to tell administrators to disable AD FS, rotate signing certificates, or alter relying-party trust settings solely because of this CVE. The available evidence supports prompt patching and targeted asset review—not a disruptive federation redesign.

The Risk Is Information Exposure, Not Identity Takeover​

Microsoft classifies the underlying weakness as CWE-125, or an out-of-bounds read. In practical terms, software reads memory beyond an intended buffer boundary. Depending on the affected process and data resident in memory, the result can expose information that should not be available to the requesting user.
The CVSS vector gives the vulnerability an important operational shape:
  • Exploitation is network-based and requires no user interaction.
  • Attack complexity is rated low, but the attacker must already hold low-level privileges.
  • Confidentiality impact is high, while integrity impact is rated none.
  • Availability impact is low, meaning the primary concern is data exposure rather than a service-wide outage.
The combination is why a 7.1 rating should not be dismissed as routine. AD FS and related identity systems can handle authentication context, claims, service metadata, configuration details, and other material that becomes more valuable when joined with separate weaknesses or stolen credentials. A flaw that does not alter data or execute code can still provide reconnaissance or sensitive disclosure that advances a larger intrusion.
At the same time, the privileges-required rating changes the urgency calculation. This is not currently described as an anonymous attacker reaching a public federation endpoint and extracting data without credentials. Organizations should therefore prioritize systems where users, service accounts, contractors, or application identities may have access paths that could meet the “authorized attacker” requirement.

Exploit Evidence Is Not Public, but the Fix Is Official​

CISA’s enrichment data for the CVE currently records exploitation as “none,” automatable exploitation as “no,” and technical impact as “partial.” The associated temporal scoring also reflects unproven exploit code, an official fix, and confirmed vulnerability details.
Those fields should be read precisely. “No” exploitation does not prove the vulnerability has never been used; it means there is no known evidence recorded in that enrichment. “Not automatable” does not mean an attack is impossible at scale under all conditions. It indicates that the available evidence does not support treating the flaw as a broadly repeatable, hands-off attack chain.
The more reassuring part is that Microsoft has supplied a patch through its regular servicing channel, and the vulnerability record is not based on a rumor or an incomplete third-party report. The report confidence component is effectively high because the vendor has acknowledged the weakness and issued remediation. The exploit maturity component remains low because public exploit details have not emerged.
That distinction should guide communications to leadership. This is not a known zero-day emergency with confirmed active exploitation. It is also not a theoretical research finding awaiting vendor response. It is a confirmed, network-reachable disclosure vulnerability with a low-privilege prerequisite and a live cumulative-update fix.

Patch First, Then Verify the Federation Estate​

For endpoint teams, KB5101649 should move through the normal expedited security-update process for Windows 11 26H1. Confirm deployment by checking that devices have reached OS Build 28000.2525 or later, and investigate systems that fail installation, remain on an earlier build, or have servicing-stack problems preventing cumulative-update completion.
Identity and server teams should separately inventory AD FS roles, Web Application Proxies, and systems that interact with the federation environment. Because Microsoft’s present affected-product list does not name Windows Server, that exercise is primarily about determining exposure and being ready if Microsoft revises the advisory—not about applying an unlisted server patch.
Administrators should also review whether ordinary user or service identities can reach relevant federation services across network boundaries. Reducing unnecessary access and watching for anomalous authenticated requests are sensible defense-in-depth steps, but they are not substitutes for the Windows update.
For now, Build 28000.2525 is the line that matters. If Microsoft expands the affected-product list beyond Windows 11 26H1 or publishes technical details that clarify the AD FS attack surface, the patch priority may need to broaden quickly.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
  2. Official source: learn.microsoft.com
 

Back
Top