CVE-2026-50310: July Updates Fix Windows HID Data Leak

CVE-2026-50310 has been fixed across supported Windows 10, Windows 11, Windows Server 2019, Windows Server 2022, and Windows Server 2025 releases through Microsoft’s July 14, 2026 security updates. The flaw is a local information-disclosure vulnerability in Windows Human Interface Device functionality, where an integer overflow or wraparound could expose sensitive information to an attacker who already has permission to run code on the affected machine.
Microsoft published the vulnerability through the Microsoft Security Response Center as part of the July 2026 Patch Tuesday release. The National Vulnerability Database, which was still awaiting its own enrichment analysis at publication time, records Microsoft’s CVSS 3.1 score of 4.7, placing CVE-2026-50310 in the Medium severity range.
This is not a drive-by compromise or an unauthenticated network attack. Microsoft’s vector describes a local, high-complexity attack requiring low privileges, but no interaction from another user. Its stated security impact is limited to confidentiality: a successful attacker could obtain information, but the vulnerability does not directly provide code execution, privilege escalation, data modification, or denial of service.

A glowing cybersecurity shield protects a computer setup, transforming a red warning into a green checkmark.A Local Flaw With a Potentially Valuable Payoff​

The underlying weakness is classified as CWE-190, an integer overflow or wraparound. This class of bug appears when software performs an arithmetic operation that produces a value outside the range its integer type can represent, potentially causing calculations involving sizes, offsets, indexes, or memory boundaries to produce an unintended result.
Microsoft’s public description is concise: an authorized attacker can exploit an integer overflow in Windows Devices Human Interface to disclose information locally. The company has not publicly documented the exact data structure involved, the sequence required to trigger the faulty calculation, or what information can be recovered.
The CVSS vector provides more useful boundaries. CVE-2026-50310 is scored as CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N, which means:
  • An attacker must operate locally rather than sending the exploit directly across a network.
  • Exploitation requires conditions Microsoft considers relatively difficult to arrange.
  • The attacker needs an existing low-privilege account or comparable local execution foothold.
  • No victim needs to click a link, open a file, or approve a prompt.
  • Successful exploitation could have a high confidentiality impact.
  • Microsoft assigns no direct integrity or availability impact.
That combination makes the flaw less urgent than a remotely exploitable Windows vulnerability, but it does not make the update optional. Information-disclosure bugs are frequently most useful as components in broader attack chains. Data recovered from memory can sometimes help attackers defeat mitigations, expose secrets, or prepare a more reliable second-stage exploit, although Microsoft has not said that CVE-2026-50310 enables any particular follow-on attack.
The “report confidence” language displayed by MSRC is also easy to misread. It explains the CVSS concept used to express confidence in a vulnerability report; it is not a technical description of the HID flaw itself. Microsoft’s acknowledgement and publication of CVE-2026-50310 confirm the vulnerability’s existence, but they do not reveal its root-cause implementation details or provide administrators with a standalone detection signature.

July Builds Draw the Remediation Line​

Microsoft’s affected-version records identify the first non-vulnerable build for nearly every listed Windows branch. Administrators can therefore verify remediation by checking that endpoints have reached the applicable July build or a later cumulative update.
For Windows 11 version 24H2 and Windows 11 version 25H2, the relevant release is KB5101650, taking systems to OS builds 26100.8875 and 26200.8875 respectively. Microsoft says it is not currently aware of any general issues with that cumulative update, although availability was temporarily restricted for a limited set of Dell devices with Intel processors because of a separate compatibility problem involving shutdowns, heat, battery drain, and performance.
Windows 10 systems receiving continued security servicing use KB5099539, which advances version 22H2 to build 19045.7548 and version 21H2 to build 19044.7548. Ordinary Windows 10 version 22H2 support ended on October 14, 2025, so consumer and business installations now need Extended Security Updates unless they belong to a still-supported LTSC or IoT servicing channel.
The remaining affected releases and July updates are:
  • Windows 10 version 1809 and Windows Server 2019 receive KB5099538, reaching build 17763.9020.
  • Windows Server 2022 receives KB5099540, reaching build 20348.5386.
  • Windows Server 2025 receives KB5099536, reaching build 26100.33158.
  • Windows 11 version 26H1 receives KB5101649, taking the operating system beyond the affected build boundary recorded for CVE-2026-50310.
Both full and Server Core installations of Windows Server 2019 and Windows Server 2025 appear in Microsoft’s affected-product data. The vulnerability therefore should not be dismissed as dependent on a conventional desktop shell or an interactive graphical environment.
Because Windows cumulative updates supersede earlier releases, systems do not need a separate CVE-specific hotfix. Installing the applicable July 14 cumulative update—or any later cumulative update containing it—delivers the correction alongside the month’s other security and reliability changes.

HID Exposure Extends Beyond Keyboards and Mice​

Human Interface Device support is commonly associated with keyboards, mice, touchpads, game controllers, drawing tablets, and similar peripherals. In Windows, however, HID is a broader device and protocol category, and its presence is routine on both physical endpoints and virtualized systems.
Microsoft has not said that exploitation requires plugging in a malicious USB device. The published vector establishes only that exploitation is local and requires low privileges; it does not establish whether the triggering input comes from a physical peripheral, a virtual device, a crafted software interaction, or another path through Windows HID handling. Administrators should avoid imposing a USB-specific attack model that Microsoft has not documented.
Likewise, device-control policies should not be treated as a substitute for patching. Restrictions on removable hardware may reduce exposure to some peripheral-based threats, but there is no public evidence that such controls fully mitigate CVE-2026-50310. The vendor-provided cumulative update is the concrete remediation.
The absence of public exploit details also limits detection options. Security teams cannot reliably search for one documented event ID, HID descriptor, process name, or file artifact associated with this CVE. Existing endpoint controls still matter because the attacker needs local execution and some authorization, but those controls address the prerequisite foothold rather than the vulnerable arithmetic operation.

Deployment Risk Comes From the Cumulative Update​

For enterprise IT, the operational decision is less about the 4.7 score than about deploying the full July cumulative package. The Windows 11 and Windows 10 updates include changes to hotkey cleanup behavior, networking hardening, Secure Boot certificate deployment, and other platform components that may require application testing.
Microsoft warns that rare built-in Windows experiences relying on earlier hotkey lifecycle behavior may temporarily stop responding to certain keyboard shortcuts after the July change. Restarting the affected application is the stated first response. That input-related compatibility change appears in the same cumulative releases as the CVE fix, but Microsoft’s update notes do not identify it specifically as the remediation for CVE-2026-50310.
Windows Server 2022 administrators face an additional concern unrelated to the HID vulnerability. Microsoft says devices using a particular unrecommended BitLocker policy configuration can request the recovery key on the first restart after installing the July update. Organizations using explicit PCR7 settings should audit the affected Group Policy and confirm that recovery keys are available before broad deployment.
Those compatibility considerations justify staged testing, not indefinite deferral. A sensible rollout starts with representative hardware—including systems with specialized HID peripherals—then expands after validating keyboard shortcuts, device-dependent applications, BitLocker startup behavior, and networking software.
CVE-2026-50310 is a confirmed Windows confidentiality flaw with constrained prerequisites and no published remote path. The practical response is straightforward: verify that Windows 11 systems have reached the applicable 26100.8875, 26200.8875, or later build; confirm that serviced Windows 10 and Windows Server branches meet their July build thresholds; and treat any machine below those levels as still exposed.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
 

Back
Top