Microsoft’s July 14, 2026 security updates fix a bug that lets an unauthenticated attacker crash an Active Directory Federation Services (AD FS) server over the network—and brings down authentication for every app that relies on it.
The vulnerability, tracked as CVE-2026-50368, is a stack-based buffer overflow in the AD FS role that carries a CVSS 3.1 base score of 7.5, rated Important. No credentials, no user interaction, and no complex attack chain are required. For any organization still anchoring sign-ins to an on-premises AD FS farm, the update is a non-negotiable priority.
What Actually Got Fixed
According to the Microsoft Security Response Center advisory published on July 14, the flaw is a classic stack-based buffer overflow (CWE-121). A remote attacker can send crafted traffic to the federation service and cause the process to terminate, crashing the server role and interrupting token issuance.
The CVSS vector breaks down bluntly: Attack Vector Network, Attack Complexity Low, Privileges Required None, User Interaction None, Scope Unchanged, Confidentiality None, Integrity None, Availability High. In plain language, the vulnerability requires only network reach, no authentication, and no help from a user. Microsoft assesses that successful exploitation does not let an attacker read or change data, nor execute arbitrary code—the damage is purely a loss of service.
But for an identity provider, “loss of service” is far from trivial. AD FS brokers sign-ins for an ecosystem of relying-party applications, Office 365 hybrids, partner federations, and line-of-business apps. If the federation service goes down, all of those endpoints stop working until the service recovers.
Affected Versions
The CVE record lists every supported Windows Server generation that can run the AD FS role:
- Windows Server 2012 (including Core)
- Windows Server 2016 (including Core)
- Windows Server 2019 (including Core; patched build 17763.9020)
- Windows Server 2022 (including Core)
- Windows Server 2025 (including Core)
Specific OS build numbers for the July 14 patches vary by release channel, but Microsoft’s Security Update Guide maps each version to its remediation. For example, the fixed Windows Server 2019 baseline is OS build 17763.9020. Administrators should confirm that every AD FS node reaches its corresponding patched build, not merely that an update installation succeeded.
What This Means for You
If you’re an IT administrator with AD FS
The immediate risk is a denial-of-service attack against your federation infrastructure. Because the service is often published to the internet through Web Application Proxy servers, reverse proxies, or load balancers, the attack surface can be as broad as your external authentication endpoints. An attacker doesn’t need internal network access; any path that forwards requests to the AD FS server could be exploited.
A multi-node farm provides some resilience: if one server goes down, the load balancer should route traffic to remaining nodes. But repeated exploitation attempts can overwhelm the farm, and every unpatched node shares the same vulnerability. Redundancy is not remediation.
If you’re a home user or small business
AD FS is an enterprise identity technology and is not present in consumer Windows editions. Unless you’ve explicitly set up a home lab or a self-hosted identity provider, this CVE does not affect personal devices.
If you’ve already moved identity to the cloud
Organizations that have fully migrated to Microsoft Entra ID (formerly Azure AD) without a hybrid AD FS component are not directly affected. However, any remaining AD FS server—perhaps kept for a legacy app or a partner trust that hasn’t been migrated—still requires patching. One forgotten node can become the entry point that takes down those remaining sign-ins.
How We Got Here
Active Directory Federation Services has been the cornerstone of Microsoft-based federated identity for nearly two decades. Even as cloud authentication with Entra ID has become the recommended path, AD FS persists in thousands of organizations bound by regulatory requirements, deeply integrated line-of-business applications, or complex multi-forest topologies.
Stack-based buffer overflows are among the oldest classes of software defects, but they remain a threat whenever network-facing services are written in languages like C or C++. In this case, the flaw lies in a component that processes incoming federation requests—a code path that must be exposed to the network for the service to function. Microsoft’s advisory does not detail the specific request pattern that triggers the overflow, but the low attack complexity suggests that once the nature of the buffer manipulation is known, exploit code could be straightforward to develop.
At publication on July 14, Microsoft stated that CVE-2026-50368 had not been publicly disclosed and was not known to be exploited in the wild. The exploitability assessment is “Exploitation Less Likely.” But these assessments are a snapshot. Once patches become available, attackers routinely reverse-engineer the updates to understand the vulnerability, and the window for safe patching narrows quickly.
What to Do Now
Start with an inventory. Identify every server in your environment with the AD FS role installed: production nodes, disaster-recovery standbys, management servers, templates, and images that could be used to rebuild old configurations. Include Web Application Proxy servers that publish the federation service externally.
Then apply the July 14 security update to every identified system. Use Microsoft Update, Windows Server Update Services (WSUS), Microsoft Endpoint Configuration Manager, or your usual patch management tool. In a multi-node farm, follow this sequence:
- Drain a target node from the load balancer so it stops receiving authentication traffic.
- Install the update and reboot if required.
- Confirm the new OS build number matches Microsoft’s listed fixed build for that server version.
- Verify that the AD FS service starts and that core functionality works:
- Federation metadata endpoint is reachable.
- Token issuance succeeds for a test user.
- Claims rules process as expected.
- Proxy trust relationships are intact.
- Sign-in to a sample relying-party application completes. - Return the node to the load balancer and repeat for remaining servers.
Synthetic authentication checks—automated scripts that perform a full federation transaction—are particularly valuable because a running service does not guarantee that every step of token issuance is healthy.
While the patch is rolling out, tighten external access where possible. Ensure that internet-facing federation endpoints are protected by rate limiting, that your Web Application Proxy deployment follows least-privilege publishing rules, and that load-balancer health probes are configured to detect and remove a crashed node quickly. None of these measures prevents exploitation, but they can reduce the blast radius until patching is complete.
Monitor for unusual service crashes. Relevant telemetry includes the AD FS Windows service status, federation endpoint health checks, proxy connectivity, and Application or System event logs on federation servers. A sudden pattern of crashes correlating with inbound traffic from unexpected sources could be an exploitation attempt, even though Microsoft reports no active attacks at this time.
What to Watch Next
The July 14 update establishes a new security baseline for AD FS environments, and Microsoft will not publish an alternative workaround. The absence of public exploit code or active attacks today does not lower the priority of patching; it simply means defenders have a head start. As subsequent months pass, expect security researchers and threat actors to analyze the fix and potentially develop working exploits. The best defense starts now: ensure every AD FS server is running its patched build before that analysis becomes an attack.