Microsoft’s July 14, 2026 security update addresses a vulnerability that lets an unauthenticated attacker crash a Windows Server 2025 domain controller from the network. The flaw, tracked as CVE-2026-50424 and patched via KB5099536, carries a CVSS 3.1 base score of 7.5 and requires no credentials, no user interaction, and minimal skill to exploit.

A Network-Accessible, No-Credential Shutdown

The vulnerability is an untrusted pointer dereference (CWE-822) in a Windows component shared across Windows Server 2025 and Windows 11 versions 24H2, 25H2, and 26H1. Only Windows Server 2025 machines running Active Directory Domain Services are directly exposed to the denial-of-service risk, as client Windows 11 editions cannot act as domain controllers. The patch updates Server 2025 to build 26100.33158. Windows 11 gets separate cumulative updates (KB5101650 for 24H2 and 25H2, KB5101649 for 26H1), but their exposure is theoretical for this CVE.

Microsoft classifies the attack as remote, low-complexity, requiring no privileges or user interaction. The CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H spells out a pure availability impact—no confidentiality or integrity loss. The SANS Internet Storm Center’s July 2026 Patch Tuesday inventory records no known disclosure or exploitation before the patch arrived, and CISA’s Stakeholder-Specific Vulnerability Categorization marks the attack as automatable.

Precisely what an attacker sends over the wire remains unpublished. Microsoft has not named the protocol, port, or service process, nor has it described whether exploitation crashes a service, forces a restart, or leaves the server unresponsive. That gap makes it impossible to craft reliable firewall workarounds.

Why a Simple Crash Matters on a Domain Controller

A denial-of-service attack that merely “turns off” one server may sound manageable, but domain controllers occupy a critical junction. They authenticate users and computers, distribute Group Policy, issue Kerberos tickets, answer LDAP queries, and often supply DNS. A multi-DC environment should survive a single failure, yet real-world impact can spiral if the affected DC holds operations master roles, serves a remote site, or runs as the only Global Catalog reachable by certain applications.

Microsoft’s advisory confirms an attacker needs no domain account and that attack complexity is low, meaning the exploit does not depend on elaborate race conditions. The network-accessible vector does not imply the DC must be internet-facing. An attacker who has compromised a workstation, a VPN account, or another internal device can reach the vulnerable service—making segmentation helpful but not sufficient.

Admins investigating unexplained DC outages should preserve crash dumps, Windows Error Reporting records, network captures, and event logs from System, Directory Service, DNS Server, and Security channels before assuming exploitation.

The Patch: KB5099536 and Build 26100.33158

KB5099536 is the July 2026 cumulative security update for Windows Server 2025, available through Windows Update, Windows Update for Business, Microsoft Update Catalog, and WSUS. The corrected OS build is 26100.33158. Any domain controller below that build is vulnerable.

Windows 11 editions that share the affected component receive separate patches. For 24H2 and 25H2, KB5101650 brings builds to 26100.8875 and 26200.8875 respectively. For 26H1, KB5101649 delivers build 28000.2525. These are important for maintaining overall security posture, but only Server 2025 machines with the AD DS role are at risk for this CVE.

The update replaces all previous monthly rollups and carries a known issue reported in unrelated releases—a WSUS reporting limitation—but Microsoft’s release notes currently list no new domain-controller failure linked to the July package.

Defending Your Domain Without Creating New Outages

Applying the patch requires the same caution as any change that forces a domain controller reboot. Rebooting all DCs at once recreates the very outage the update aims to prevent.

A practical deployment sequence looks like this:

  1. Inventory vulnerable servers: Use winver, PowerShell, or a vulnerability scanner to identify every Windows Server 2025 DC running below build 26100.33158.
  2. Update one redundant DC first: Install KB5099536, reboot, and confirm it returns to service.
  3. Verify critical services: Check Active Directory replication, SYSVOL and NETLOGON shares, DNS registration, Kerberos authentication, Global Catalog availability, and any applications that pin to specific LDAP endpoints.
  4. Proceed site by site: Once the first update is validated, move through the remaining DCs in a controlled manner, ensuring authentication and DNS capacity is never lost.

Network controls remain important defence-in-depth measures. Domain-controller ports should be reachable only from authorised systems, and any accidental internet exposure must be closed. Still, segmentation cannot replace the patch because a compromised allowed endpoint may still reach the vulnerable service.

What to Watch For

The immediate priority is straightforward: deploy KB5099536 and confirm every Windows Server 2025 domain controller reaches build 26100.33158. The lack of known exploitation on patch day reduces the case for emergency isolation, but the vulnerability’s unauthenticated, automatable, low-complexity profile argues against delay.

Over the coming weeks, researchers will likely reverse engineer the fix to identify the affected protocol. A public proof of concept would sharpen detection and make the already strong case for patching absolute. Microsoft may also update its advisory with technical specifics that help admins craft targeted detection rules.

For now, the only reliable action is deploying the update through a redundancy-aware maintenance plan. Domain controllers are not ordinary Windows servers, and treating them as such during patching is what turns a fixed vulnerability into a self-inflicted outage.