On July 14, 2026, Microsoft shipped a security update for CVE-2026-50682, a vulnerability in Windows Active Directory that lets an authenticated user with minimal privileges crash or destabilize affected systems over the network. The out-of-bounds read flaw, rated Important with a CVSS score of 7.1, requires no user interaction and can be exploited with low complexity. Domain controllers are the most critical targets, but the vulnerable code runs on multiple Windows editions.
Breaking Down the CVSS Score
CVE-2026-50682 is caused by an out-of-bounds read (CWE-125) in a Windows Active Directory component. Microsoft’s advisory describes a scenario where an attacker sends a specially crafted request that triggers the flaw, leading to a denial of service. The CVSS vector is AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H, which reveals exactly how the vulnerability works and what an attacker can achieve:
- AV:N (Network): Exploitation can happen remotely—no physical access is needed.
- AC:L (Low attack complexity): The attack doesn’t require unusual circumstances; it’s repeatable and straightforward once the technique is known.
- PR:L (Low privileges required): Any valid domain account, even a standard user with no special permissions, is enough. This is the most dangerous element.
- UI:N (No user interaction): The victim doesn’t have to click a link, open a file, or perform any action—the attack can be fully automated.
- S:U (Unchanged scope): The vulnerable component’s security boundaries don’t change; the attack stays within the same security context.
- C:L (Low confidentiality): Some limited information might leak, but that isn’t the primary risk.
- I:N (No integrity): The attack doesn’t modify data.
- A:H (High availability): The main impact is disruption. Services may stop, restart, hang, or become unresponsive.
The combination of low privileges and high availability impact makes this vulnerability particularly dangerous in environments where an attacker has already gained any foothold—something that’s increasingly common through phishing, credential theft, or supply-chain compromises. The attacker doesn’t need to be a domain admin; even a compromised guest account or a service account with minimal rights could bring down a domain controller.
Microsoft has assessed exploitation as “less likely,” and the flaw was neither publicly disclosed nor known to be exploited when the update was released. However, history shows that once a patch is released, reverse engineering efforts often produce working exploits within days or weeks, especially for vulnerabilities rated as low complexity.
The Patch: Build Numbers and Known Hiccups
Microsoft’s July 2026 cumulative updates raise systems past the vulnerable build ranges. Administrators must ensure they install the exact update packages listed below—not earlier or intermediate builds—to fully remediate the vulnerability.
| Product | Update KB | Patched Build |
|---|---|---|
| Windows Server 2022 | KB5099540 | 20348.5386 |
| Windows Server 2025 (including Server Core) | KB5099536 | 26100.33158 |
| Windows 11 24H2 / 25H2 | KB5101650 | 26100.8875 / 26200.8875 |
| Windows 11 26H1 | KB5101649 | 28000.2525 |
| Windows 10 22H2 / Enterprise LTSC 2021 | KB5099539 | 19045.7548 / 19044.7548 |
Windows 10 version 22H2 exited mainstream support on October 14, 2025, so the security update is available only to systems enrolled in Extended Security Updates or LTSC channels. Organizations still running Windows 10 without a support agreement won’t receive this fix through normal channels.
Client editions of Windows 10 and 11 appear in the advisory because they include Active Directory‑related libraries and management tools that contain the vulnerable code. While a typical workstation is not a domain controller, it could still be targeted if it runs services that expose the flawed component. Patching all affected endpoints is prudent, but domain controllers must take the highest priority.
Two known issues deserve attention before you deploy:
- BitLocker recovery prompt on Server 2022 – If you have configured BitLocker on the operating system drive with an explicit PCR7 binding (not the default), and your PCR7 binding state reports as “Not Possible,” the first reboot after installing KB5099540 may request the recovery key. This is due to a transition to the Windows UEFI CA 2023‑signed boot manager. Ensure recovery keys are escrowed and retrievable before rebooting patched servers.
- Third‑party TDI transport hardening on Server 2025 – After installing KB5099536, applications that use sockets over unregistered third‑party Transport Driver Interface transports may stop working. Registered transports are unaffected. If your environment relies on legacy networking software with custom TDI providers, test compatibility during piloting.
These issues don’t compromise the security fix itself, but they can complicate deployment. Planning for them ahead of time will prevent surprises.
Why a Denial of Service on Active Directory Is So Disruptive
Active Directory is the backbone of identity, authentication, and policy in most Windows environments. Taking down a domain controller—even temporarily—can trigger a cascade of failures:
- User logons stall across the entire domain.
- Group Policy processing halts, leaving security settings and software distribution stuck.
- DNS and LDAP queries fail, breaking applications, file shares, and network services that depend on directory lookup.
- Kerberos ticket issuance stops, causing widespread authentication errors.
- Incident response is hobbled if security tools and consoles rely on AD for authentication.
Because the vulnerability requires only low privileges, any compromised standard user account becomes a potential weapon. In large organizations with thousands of users, contractors, and service accounts, the attack surface is vast. An attacker who has stolen a single set of credentials can automate attacks against multiple domain controllers simultaneously, maximizing damage.
There is no official workaround. Network segmentation and access controls can reduce exposure by limiting which hosts can communicate with domain controllers, but they don’t eliminate the vulnerable code. Patching is the only complete solution.
The Context of July 2026’s Large Patch Tuesday
The July 2026 Patch Tuesday was notably larger than recent months, addressing a broad swath of vulnerabilities across Microsoft’s portfolio. CVE-2026-50682 was one of several security flaws fixed, but its unique combination of Active Directory scope, low‑privilege requirement, and high availability impact sets it apart.
CISA’s initial SSVC analysis deemed the vulnerability not readily automatable and not known to be exploited. Microsoft’s exploitability index also placed it in the “less likely” category. These snapshots are reassuring, but they reflect knowledge as of July 14, 2026. Historically, out‑of‑bounds read vulnerabilities in widely deployed services become more frequently targeted once patch analysis reveals the faulty code path. The absence of active attacks on patch day doesn’t mean August will be quiet.
Your Step-by-Step Patch Deployment Guide
Because domain controllers are too important to leave unpatched—but also too critical to break—a phased approach is essential. Here’s a plan that balances urgency with safety:
- Take inventory – Use your patch management tool to identify all systems that require the July cumulative updates. Include domain controllers, management workstations, and any server that runs Active Directory tools or administrative components. Don’t forget Windows 10/11 machines that may have RSAT or other AD‑adjacent software.
- Pilot on a representative domain controller – Choose a DC in a low‑risk site, ideally one that handles authentication but isn’t the PDC emulator or hosting critical FSMO roles. Install the update and reboot. Then run tests:
- Executedcdiagandrepadmin /replsummaryto verify replication health.
- Check that Kerberos tickets are issued correctly for test accounts.
- Confirm LDAP‑dependent applications still function (e.g., SQL Server, Exchange, SharePoint).
- Validate SYSVOL accessibility and Group Policy processing by forcing agpupdateon a client.
- Monitor the Directory Service and System event logs for errors, especially around the time of service restart. - Verify BitLocker and TDI transport readiness – For Server 2022, ensure that recovery keys are stored in Active Directory or an escrow system and that you can retrieve them if needed. For Server 2025, test any legacy application that might rely on third‑party TDI transports; contact the vendor if you’re unsure.
- Schedule a maintenance window for remaining domain controllers – Roll out the update in waves, starting with non‑FSMO holders and moving to more critical roles after confirming stability. Always have a rollback plan: ensure you can restore a domain controller from backup if something goes wrong.
- Patch client systems on the usual schedule – Once domain controllers are updated, proceed with workstation patches during your standard deployment cycle. No special urgency is needed for endpoints, but don’t let them fall months behind.
- Enhance monitoring post‑deployment – Because Microsoft hasn’t provided a signature or packet details, detection will be behavioral. Look for unexpected domain controller crashes, repeated failed directory operations (event ID 1040 or 1168 might surface anomalies), bursts of authenticated traffic from unusual sources, or service terminations that correlate with a specific user account. Correlate authentication logs with system stability events.
The Outlook: Patch Now Before PoC Arrives
CVE-2026-50682 is a straightforward but potent denial‑of‑service risk that any low‑privilege authenticated user can trigger. The July 2026 cumulative updates are the only remedy. While exploitation hasn’t been seen yet, the release of a patch is often the starting gun for researchers and attackers alike. Domain controllers should not remain on unpatched builds any longer than necessary.
Keep an eye on Microsoft’s Security Update Guide for any revisions to the CVE details, and watch CISA’s Known Exploited Vulnerabilities catalog for potential inclusion. If you can’t patch all domain controllers immediately, double down on network access restrictions, restrict the accounts that can initiate RPC or LDAP sessions to DCs, and rehearse your Active Directory disaster‑recovery procedures.
The fix is nearly a one‑click operation via Windows Update or WSUS—but the testing and verification around it require careful planning. Treat this as a high‑priority patch for your directory service, and you’ll close a significant but manageable door before anyone walks through it.