A malicious USB audio device can read secrets from a locked Windows PC—but only if someone plugs it in. Microsoft patched that flaw, and two others like it, in this month’s security updates. The July 14, 2026 release addresses CVE-2026-50453, an information-disclosure bug in the built-in Windows USB Audio Class driver, usbaudio.sys.

The vulnerability in plain terms

When you connect a USB headset, speakerphone, or audio interface, Windows loads usbaudio.sys automatically. That driver handles the standard data streams and control requests defined by the USB Audio specification. According to Microsoft’s Security Response Center advisory, a specially crafted USB device can cause the driver to read memory out of bounds—an error class tracked as CWE-125.

The immediate result isn’t remote code execution. Instead, the out-of-bounds read may reveal portions of kernel or process memory that should be off-limits. Microsoft’s CVSS 3.1 scoring (base score 6.1, “Important” severity) confirms that confidentiality and availability take a hit, but integrity remains untouched. In plain language: an attacker could steal information and possibly crash the machine, but they can’t directly modify files, install software, or inject commands through this bug alone.

The defining constraint is the attack vector. The vulnerability requires physical access—someone must connect a malicious device to a USB port. It cannot be triggered over a network, by email, or by visiting a website. No user interaction or login is needed once the device is enumerated, which raises the stakes for shared or unattended computers.

Three USB audio flaws fixed together

CVE-2026-50453 didn’t arrive in isolation. The July update also corrects CVE-2026-49794 and CVE-2026-58528, both classified as Important information-disclosure issues in the same driver. The Zero Day Initiative, which tracks these vulnerabilities alongside Microsoft, reported that none were publicly disclosed or exploited when the patches shipped.

Microsoft’s advisory lists a wide range of affected Windows editions, reflecting the driver’s long-standing role as an operating-system component. The table below shows key fixed builds; any version at or above the listed build includes the fix.

Windows Version Fixed Build
Windows 11 24H2 26100.8875
Windows 11 25H2 26200.8875
Windows 11 26H1 28000.2269
Windows 10 22H2 19045.7548
Windows 10 21H2 19044.7548
Windows 10 1809 / Server 2019 17763.9020
Windows 10 1607 / Server 2016 14393.9339
Windows Server 2022 20348.5386
Windows Server 2025 (including Core) 26100.33158

Server 2012 and 2012 R2 also receive patches if you pay for Extended Security Updates. Specific update packages—like KB5099538 for Windows Server 2019 / Windows 10 1809, KB5099540 for Server 2022, and KB5099444 for the monthly rollup on older systems—can be found through the Security Update Guide.

What this means for you

For home users and individual PCs: The risk is low if you don’t leave your computer unattended where strangers could plug in a device. Install the latest cumulative update through Windows Update. You don’t need to stop using legitimate USB audio gear, disable the audio driver, or take any special steps beyond patching.

For business and IT admins: The threat model shifts for shared workstations, reception desks, classroom computers, conference-room systems, medical carts, and public kiosks—any machine where an unauthorized person can reach a USB port. In those environments, apply the July update as a priority. If deployment must be delayed, consider temporary controls:

  • Restrict physical access: lock away unused ports, disable front-panel USBs in BIOS, or use port blockers.
  • Enforce device-installation policy: group policy settings under “Prevent installation of devices that match any of these device IDs” or “Allow installation of devices that match any of these device IDs” let you block all USB audio devices or permit only approved hardware.
  • Avoid blanket USB shutdown: keyboards, mice, smart-card readers, and assistive technology rely on USB. Class-based restrictions are more surgical.

Don’t try to remove or rename usbaudio.sys. It’s a protected system component; tampering with it breaks class-compliant audio and doesn’t address the root fix.

For server administrators: Servers in locked data centers face minimal exposure, but if a console port or remote management card (iDRAC, iLO) provides USB passthrough, an attacker with physical proximity to the server room could plug in a device. Patching remains the safest route. Server Core is also affected because the vulnerable driver is present regardless of the graphical shell.

How we got here

usbaudio.sys has been Windows’ built-in handler for USB Audio Class devices since the early 2000s. It’s a convenience feature: plug in a standard USB microphone, speaker, or audio mixer, and it just works. But that same convenience makes the driver a target. Every device descriptor and control request becomes parsing code that runs in kernel context.

Out-of-bounds read vulnerabilities occasionally surface in similar drivers. In March 2025, Synaptics disclosed memory-corruption issues in its audio drivers. The July 2026 batch specifically targets the inbox Microsoft driver, highlighting the risk that any system component processing untrusted input—even simple USB descriptor data—can contain exploitable defects.

Microsoft hasn’t published a root-cause analysis, and as of this writing no public proof-of-concept code exists. That doesn’t mean such code won’t appear. Security researchers often reverse-engineer patches to understand the bug, and an exploit requiring physical attachment might be demonstrated at conferences or used in targeted espionage.

What to do now

  1. Check your current build. Press Win+R, type winver, and compare against the fixed builds above. Or use System Information to find the OS build number.
  2. Apply the July 2026 cumulative update. Windows Update delivers it automatically on Patch Tuesday. Enterprise tools—Windows Update for Business, WSUS, Configuration Manager, Intune—can deploy it at scale. The specific KB number depends on your version; the fix is rolled into the standard monthly quality update.
  3. For critical systems that can’t be updated immediately: Implement physical port restrictions. Use the group policy editor (gpedit.msc) to navigate to Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions. Set “Prevent installation of devices that match any of these device IDs” and add the hardware IDs for USB audio devices (e.g., USB\Class_01). More granular control is possible by allowing only devices that match a list of approved IDs.
  4. Verify that your USB audio devices still work after patching. The update doesn’t remove functionality—it corrects the vulnerability. But if you’ve applied restrictive policies, test that authorized headsets, mics, and conference units enumerate correctly.
  5. Stay on track with monthly updates. The fix is cumulative, so any future update will also include this patch.

Outlook

Microsoft is likely to continue hardening the USB Audio Class driver and other plug-and-play parsers. The fact that three similar flaws appeared in one month suggests either a focused code audit or external research submission. No exploitation has been detected yet, but the physical-access requirement doesn’t eliminate the need for timely patching—especially in environments where USB ports are exposed. Keep an eye on the Zero Day Initiative and Microsoft’s Security Update Guide for any future advisories regarding usbaudio.sys. For now, a reboot and a build check are all it takes to close this door.