On July 14, 2026, Microsoft released a security update that fixes a critical weakness in Active Directory Federation Services (AD FS) — a stack-based buffer overflow that enables an unauthenticated attacker to remotely crash the service. The vulnerability, tracked as CVE-2026-54983, carries a CVSS score of 7.5 and requires no user interaction, making it a potent denial-of-service risk for any organization that relies on AD FS for federated sign-on.

The Flaw: A Stack-Based Overflow in the Heart of AD FS

According to Microsoft’s advisory, the vulnerability is a classic stack-based buffer overflow (CWE-121) inside AD FS. When the service processes maliciously crafted network traffic, it can write past the allocated buffer, corrupting adjacent memory and causing the process to terminate. The attack is network-accessible, has low complexity, and demands neither privileges nor any action from a user.

Microsoft confirms that exploitation results in denial of service — not code execution or data theft. But for an identity provider, availability is everything. An attacker who triggers this flaw can knock an AD FS server offline, potentially cutting off access to every application that depends on it for authentication. The company has assigned a CVSS 3.1 base score of 7.5, indicating a serious but not critical rating, with the only impact being on availability.

Which Systems Are Really at Risk?

The advisory’s product list is long, covering everything from Windows Server 2012 through Windows Server 2025, plus several Windows 10 and Windows 11 editions. However, the actual exposure is far narrower. Only systems with the Active Directory Federation Services role installed are vulnerable. A standard Windows desktop does not run AD FS, so most client machines are not at risk.

Security teams should zero in on servers that host the AD FS role, especially those reachable from the internet or untrusted networks. The patch is part of Microsoft’s regular July 2026 security release, and it raises the build numbers for affected editions:

  • Windows Server 2016 / Windows 10 Version 1607: build 14393.9339
  • Windows Server 2019 / Windows 10 Version 1809: build 17763.9020
  • Windows Server 2022: build 20348.5386
  • Windows Server 2025: build 26100.33158
  • Windows 11 24H2: build 26100.8875
  • Windows 11 25H2: build 26200.8875
  • Windows 11 26H1: build 28000.2525
  • Windows 10 22H2: build 19045.7548

For those clinging to Windows Server 2012 and 2012 R2 with Extended Security Updates, the baselines are build 9200.26226 and build 9600.23291, respectively. Administrators should confirm these build numbers after applying the update, regardless of how the patch was deployed. A successful installation message doesn’t always guarantee the file versions are active.

Why a DoS on AD FS Is a Business-Stopping Event

AD FS isn’t just another service; it’s the linchpin for federated identity in countless hybrid environments. When it goes down, so does single sign-on to Microsoft 365, SaaS platforms, partner portals, and internal applications that trust it. Even if domain controllers and applications remain healthy, users get blocked at the login prompt.

High-availability farms don’t eliminate the risk. If every node runs the same vulnerable code, an attacker can cycle through them, crashing each as it comes back online. A reproducible software defect is not the same as a random hardware failure. An unauthenticated remote attacker needs only to send the right malformed packet to any internet-facing AD FS endpoint to set off the chain.

How We Got Here: AD FS Under the Hood and the Patch Landscape

AD FS has been a fixture of Windows Server for nearly two decades. While Microsoft now steers organizations toward Entra ID, a staggering number still depend on on-premises federation servers — often because of legacy applications, compliance requirements, or complex trust relationships that haven’t been modernized.

Stack-based buffer overflows are among the oldest and most-studied vulnerability classes, yet they still surface, even in hardened, network-facing roles like AD FS. The July 2026 fix follows Microsoft’s standard Patch Tuesday rhythm; it is not an out-of-band release. At the time of disclosure, there was no public evidence of active exploitation or a proof-of-concept, but that changes now. With the advisory and patches public, reverse engineers can compare the before-and-after binaries, and exploit development is likely.

This vulnerability was responsibly reported, and Microsoft’s confirmed status means the technical details are accurate and not speculative. The lack of packet-level details in the initial advisory shouldn’t breed complacency — it’s a race between patching and the inevitable availability of a ready-made attack.

What You Need to Do: A Patching Guide for AD FS Administrators

Start with a comprehensive inventory. List every server running the AD FS role, including Web Application Proxy servers that publish federation services to the internet. Note which are primary nodes, which are secondaries, and how your load balancer’s health probes are configured. You don’t want to pull a node and discover the remaining servers can’t handle the authentication load.

A rolling deployment is essential. Patch one secondary node first, apply the update, restart, and then rigorously test. Don’t just hit the AD FS sign-in page — exercise claims rules, multi-factor authentication adapters, certificate-based authentication, and any custom relying-party trusts. Legacy applications often rely on specific flows that may break if a patched node behaves differently.

Once the first node passes validation, proceed through the rest of the farm. Web Application Proxy servers should be updated in tandem; an apparent federation failure after patching is frequently due to a proxy, certificate, or load-balancer glitch, not the AD FS fix itself. After every server is updated, verify the build numbers listed above. Do not trust that an installation success message equals compliance.

Post-patch monitoring is critical. Watch the AD FS Admin event log for service restarts or errors. Track authentication latency, failed token issuance, and unusual request spikes. Pay special attention to nodes that repeatedly enter or leave the load balancer rotation — they might be crashing silently or experiencing delayed effects.

Network mitigations can reduce exposure but are not a substitute for the update. Internet-facing AD FS endpoints must accept unauthenticated traffic by design, which limits the value of simple access control lists. Rate limiting and reverse-proxy filtering may absorb some blunt-force attacks, but they can’t reliably detect the malformed input that triggers the overflow. The patch is the only solid fix.

Organizations still running Windows Server 2012 or 2012 R2 under Extended Security Updates must source the specific ESU packages. The usual Windows Update channels won’t offer them automatically. Check with your service provider or the Microsoft Update Catalog to obtain the correct update.

The Bigger Picture: Why This Vulnerability Underlines the AD FS Sunset

Every security advisory like this is a nudge toward modernity. Microsoft Entra ID offers a cloud-native identity broker that shifts the burden of patching and availability to Microsoft’s own infrastructure. While a full migration may be a multi-year project, each on-premises vulnerability chips away at the case for keeping AD FS. Organizations should at least begin evaluating which relying-party trusts can be moved to Entra ID, reducing the attack surface over time.

In the immediate term, the July 2026 patch is a must-have. With no authentication required and a trivial attack vector, exploitation is a matter of when, not if. Get your farm updated, verify the builds, and keep a close eye on the logs. The next critical moment will be when the first public exploit surfaces. You want to be on the right side of that timeline.