Microsoft’s July 14, 2026 Patch Tuesday release plugged an information-disclosure hole in the Windows USB Audio Class driver that lets an attacker siphon confidential data from memory using nothing more than a crafted USB audio device. The vulnerability, tracked as CVE-2026-49794, earned a CVSS 3.1 score of 4.6 — Medium severity — because exploitation demands physical access to a target machine. But its reach is unusually broad, spanning Windows 10, Windows 11, and Windows Server, including Server Core installations where few expect an audio driver to matter.
What Actually Changed in the July Patch
The flaw lives in usbaudio.sys, Microsoft’s built-in driver for USB Audio Class devices. When Windows processes data from a connected USB audio peripheral, the driver can perform an out-of-bounds read (CWE-125). In plain terms, it may peek beyond the intended memory buffer and expose whatever happens to sit next to it — potentially containing sensitive information. Microsoft’s attack-vector string spells out the constraints: AV:P (physical access), AC:L (low complexity), PR:N (no privileges required), UI:N (no user interaction). The confidentiality impact is rated High, while integrity and availability are marked None. That means no code execution, no system takeover, no denial of service — purely a data leak.
The fix arrives in the July 2026 cumulative updates, which bump affected systems to these minimum safe builds:
| Windows Version / Edition | Fixed Build Number |
|---|---|
| Windows 10 1607 / Server 2016 | 14393.9339 |
| Windows 10 1809 / Server 2019 | 17763.9020 |
| Windows 10 21H2 | 19044.7548 |
| Windows 10 22H2 | 19045.7548 |
| Windows Server 2022 | 20348.5386 |
| Windows 11 24H2 | 26100.8875 |
| Windows 11 25H2 | 26200.8875 |
| Windows 11 26H1 | 28000.2269 |
| Windows Server 2025 | 26100.33158 |
| Windows Server 2012 | 9200.26226 |
| Windows Server 2012 R2 | 9600.23291 |
Server Core variants are explicitly included for 2012 through 2025. Administrators should not dismiss the risk simply because a server lacks a sound card — the vulnerable driver ships as part of the OS and can be attacked if a malicious audio device is ever connected.
What This Means for You
For home and everyday users
A typical home PC is a low-priority target for physical USB attacks. Apply the July cumulative update through Windows Update, and you’re protected. No evidence suggests that legitimate USB headsets, microphones, or speakers become dangerous after patching; the fix corrects the driver’s boundary checking, not your peripherals.
For IT administrators and enterprise environments
The risk calculus changes in shared or unattended spaces — conference rooms, library kiosks, school computer labs, reception desks, medical workstations, or factory-floor terminals. In these settings, an outsider can plug in a rigged USB audio device without triggering any warning. The attack requires no login, no user mistake, and succeeds silently. While Microsoft’s CVSS rating is Medium, the real-world exposure in a hospital or university campus could be severe.
The Server Core angle surprises many admins. Even a domain controller or a headless file server includes usbaudio.sys. If someone gains physical access to the server room or an unprotected USB port, they could exploit this flaw to read in-memory data. It’s a reminder that “server role” doesn’t guarantee a smaller attack surface.
For developers and power users
Anyone writing code that interacts with the Windows audio stack, or building custom USB audio devices, should test their setups after applying the patch. The fix adjusts memory-handling in a low-level driver, and while no regressions have been reported, this system software interacts with a huge variety of hardware. Media production shops, DAW (digital audio workstation) users, and conferencing setups may want to validate microphone, speaker, and interface functionality before rolling out broadly.
How We Got Here
Windows has used a class driver for USB Audio since the early days of plug-and-play, simplifying the user experience — plug in a USB headset and it just works. But convenience brings risk. Physical-access vulnerabilities have long haunted USB: from the BadUSB firmware rewrites of 2014 to more recent Thunderbolt DMA attacks. CVE-2026-49794 is not firmware-based; it’s a coding error in a signed Microsoft driver that ships in every edition.
Microsoft’s Security Response Center disclosed the bug on July 14, 2026, as part of its regular Patch Tuesday cycle, confirming its existence and providing fixed-build thresholds. The National Vulnerability Database mirrored the advisory and began enrichment, while CISA’s SSVC added context: no known exploitation, non-automatable attack, partial technical impact. The absence of a public proof-of-concept gives defenders a window — but reverse-engineering a patch to find the flaw is standard attacker methodology, so that window may be short.
What to Do Now
1. Install the July 2026 security updates immediately. Home users: check Windows Update; enterprise admins: push via WSUS, SCCM, or your endpoint-management tool. Verify build numbers against the table above. Don’t rely solely on “update installed” status — run a compliance scan to confirm the OS build.
2. Pay extra attention to servers and offline systems. Server Core machines, servers in secure rooms (that might be considered inaccessible), and devices that were powered off during the rollout need manual verification. An audio-driver bug on a domain controller sounds absurd — until it isn’t.
3. Review USB device-control policies. Many organizations block mass-storage devices but leave audio-class peripherals wide open. Use Microsoft Defender for Endpoint Device Control, Group Policy installation restrictions, or third-party tools to restrict unauthorized USB audio and composite devices. This is not a substitute for patching — it reduces the opportunity until the patch is in place.
4. Test your audio hardware. Before finishing your deployment, plug in a representative sample of the USB microphones, headsets, docking stations, converter boxes, and MIDI devices your users rely on. If something breaks, it’s likely a driver interaction issue, not an attack. Open a support case with the device vendor if a regression appears.
5. Watch for signs of future exploitation. While no active attacks are known today, monitor CISA’s Known Exploited Vulnerabilities catalog, Microsoft’s threat intelligence feeds, and your own endpoint logs for indicators involving unexpected USB audio devices. Physical attacks are noisy only if you’re looking for them.
Outlook
CVE-2026-49794 will never make the “critical remote exploit” headlines, but it’s precisely the kind of flaw that lingers in unpatched kiosks, hospital systems, and factory PCs long after the patch ships. The low complexity and lack of privilege requirements make it a tempting target for anyone with brief physical access — a visiting contractor, a curious student, a disgruntled employee.
Microsoft’s transparent, wide-ranging patch is the correct fix, and early indicators suggest a calm remediation cycle. The real test comes in the weeks ahead, as security researchers reveal the root cause and attackers craft reliable exploitation tools. For now, the single most important step is updating every Windows machine — including the servers where you’d never expect an audio driver to matter — before that window closes.