CVE-2026-50324: Windows Active Directory Federation Services Denial of Service Vulnerability

Overview

Severity
Medium (CVSS 5.9)
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Category
Denial of Service
Exploit Status
Not Exploited
Exploitation Likelihood
Less Likely
Patch Tuesday
2026-Jul
Released
2026-07-14

Description

Loop with unreachable exit condition ('infinite loop') in Active Directory Federation Services (AD FS) allows an unauthorized attacker to deny service over a network.

FAQ

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability? Successful exploitation of this vulnerability requires an attacker to prepare the target environment to improve exploit reliability.

Affected Products (13)

Windows

  • Windows 10 Version 1809 for 32-bit Systems
  • Windows 10 Version 1809 for x64-based Systems
  • Windows Server 2019
  • Windows Server 2019 (Server Core installation)
  • Windows Server 2022
  • Windows Server 2025 (Server Core installation)
  • Windows Server 2025
  • Windows 10 Version 1607 for 32-bit Systems
  • Windows 10 Version 1607 for x64-based Systems
  • Windows Server 2016
  • Windows Server 2016 (Server Core installation)

ESU

  • Windows Server 2012 R2
  • Windows Server 2012 R2 (Server Core installation)

Security Updates (5)

Acknowledgments

Anonymous, Anonymous

Revision History

  • 2026-07-14: Information published.