On July 14, 2026, Microsoft released its monthly security updates, including a fix for a stack-based buffer overflow in Active Directory Federation Services (AD FS) that could allow an unauthenticated attacker to disable federated authentication across an organization. The vulnerability, CVE-2026-50355, has a CVSS score of 7.5 and affects every supported version of Windows Server, from 2012 through 2025, including Server Core deployments.

What Changed?

The flaw, classified as a denial-of-service (DoS) vulnerability, stems from a stack-based buffer overflow in the AD FS service. According to Microsoft’s Security Update Guide, the attack vector is network-based, with low attack complexity, no privileges required, and no user interaction. The CVSS 3.1 vector string—AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H—shows an attacker can remotely crash the AD FS service without needing an account on the target system.

While the vulnerability doesn’t expose confidential data or allow modification of the service, the availability impact is high. A successful exploit can prevent users from obtaining federation tokens, effectively locking them out of every application, cloud service, or partner portal that relies on that AD FS farm for sign-in. The disruption can mimic a broad identity outage even though Active Directory Domain Services, backend applications, and user credentials remain intact.

Who’s Affected and What’s at Stake

If your organization uses AD FS to federate sign-ins for Microsoft 365, legacy claims-aware applications, Web Application Proxy connections, or partner collaboration, you’re exposed. Hybrid environments that synchronize identities to Azure AD but still route authentication requests through AD FS are also vulnerable. Fully cloud-native Microsoft 365 tenants that authenticate directly against Azure AD are not affected.

Windows Server Core installations running the AD FS role are equally vulnerable, so minimal-footprint servers offer no automatic protection. The affected platforms include:

  • Windows Server 2016 and Windows 10 version 1607 (LTSC)
  • Windows Server 2019 and Windows 10 version 1809 (LTSC)
  • Windows Server 2022
  • Windows Server 2025
  • Windows Server 2012 and 2012 R2 (requires Extended Security Updates)

The severity is compounded by AD FS often sitting directly in the authentication path. An outage can halt productivity across an entire organization and break trust with external partners, even if the underlying infrastructure is otherwise healthy.

How We Got Here

AD FS has long been a critical component for enterprise identity, but its exposure and complex configurations have also made it a frequent target. July’s Patch Tuesday is unusually heavy on AD FS fixes, with CVE-2026-50355 joined by at least one other actively exploited elevation-of-privilege vulnerability (CVE-2026-56155), as reported by Microsoft. That suggests a concerted effort to harden the service, even though no active attacks have been observed against CVE-2026-50355 as of publication.

Stack-based buffer overflows are a classic memory-corruption bug class, and in this case, the flaw likely resides in how AD FS parses specific network inputs. Microsoft has confirmed the vulnerability’s existence and validated the technical details, but it has not released proof-of-concept code or additional technical deep-dives—standard practice to prevent aiding attackers before patches are widely deployed. CISA’s initial assessment notes the vulnerability is automatable, meaning that functional exploit code could be developed with relative ease.

Your Patch Checklist

Microsoft has released cumulative updates that bring each affected platform to a fixed build. The critical packages and build numbers are:

Windows Server Version Required Update / Build
Windows Server 2025 KB5099536, build 26100.33158 or later
Windows Server 2022 KB5099540, build 20348.5386 or later
Windows Server 2019 KB5099538, build 17763.9020 or later
Windows Server 2016 KB5099535, build 14393.9339 or later
Windows Server 2012 R2 Build 9600.23291 (via Extended Security Update)
Windows Server 2012 Build 9200.26226 (via Extended Security Update)

For Windows Server 2012 and 2012 R2, eligible Extended Security Updates (ESU) are required to receive these fixes. Systems without active ESU licenses are not protected by the July updates and should be considered vulnerable until they can be retired or upgraded.

Patch the Entire Farm, Not Just One Node

AD FS farms often include multiple servers behind a load balancer, along with Web Application Proxy (WAP) servers, standby nodes, and disaster-recovery replicas. Patching only the primary federation server leaves the rest vulnerable and can cause version-mismatch issues that break trust relationships.

A staged patching approach is recommended to maintain availability:

  1. Remove one AD FS or WAP node from the load balancer rotation.
  2. Install the appropriate July cumulative update (and reboot if prompted).
  3. Verify the AD FS service starts and check that federation metadata, certificate access, and token issuance work correctly.
  4. Monitor Event Viewer logs under AD FS/Admin and related application logs for errors.
  5. Return the server to rotation and move to the next node.

Repeat this process for every server in the farm, including test environments, before declaring remediation complete.

If You Can’t Patch Immediately

Where immediate deployment isn’t possible, reduce exposure by:

  • Restricting network access to AD FS endpoints via firewall rules.
  • Implementing rate limiting and request inspection on reverse proxies.
  • Closely monitoring AD FS servers for unexpected service crashes or spikes in resource usage.

These are interim mitigations, not substitutes for the official update. Because the vulnerability requires no authentication or user interaction, perimeter filtering alone may be unreliable.

Outlook: No Active Attacks Yet, But Don’t Wait

As of July 14, 2026, neither Microsoft nor CISA has identified any active exploitation of CVE-2026-50355. The report-confidence is "Confirmed" because the vendor has verified the flaw, not because attacks are occurring. Exploit-code maturity is listed as "Unproven," but the vulnerability is marked as automatable, meaning that once reverse-engineered, an exploit could be built reliably.

A denial-of-service flaw may not generate the same headlines as a remote code execution bug, but for organizations that depend on AD FS for federated sign-in, an outage can be just as disruptive as a ransomware attack. The patch requires no special configuration changes beyond the normal update process, and the risk of waiting outweighs the cost of deployment.

If your AD FS infrastructure is Internet-facing, patch immediately. Even if your servers are internal-only, aim to apply the fixes within your next scheduled maintenance window. Every server that handles AD FS traffic should report a build at or above Microsoft’s fixed threshold—and be tested to confirm it still issues tokens after the update.