Microsoft’s July 14, 2026 security updates fix CVE-2026-49794, an information-disclosure flaw in the Windows USB Audio Class driver,
Detailed in the Microsoft Security Response Center’s Security Update Guide and corroborated by the National Vulnerability Database, CVE-2026-49794 is an out-of-bounds read. Microsoft assigned it a CVSS 3.1 score of 4.6, placing it in the Medium severity range. The available data indicates that a successful attack could expose confidential information without changing data or disrupting system availability.
The disclosure was published as part of Microsoft’s July 2026 Patch Tuesday release. Although the technical description is brief, Microsoft is the assigning authority and has identified the affected component, weakness class, attack requirements, and fixed Windows build thresholds.
CVE-2026-49794 arises when the driver performs an out-of-bounds read, categorized as CWE-125. In practical terms, the driver may read beyond the intended boundary of a memory buffer while processing information supplied through a USB audio device. Data from adjacent memory could then be exposed to the attacker.
Microsoft’s CVSS vector is
The confidentiality rating is High, while integrity and availability are rated None. Microsoft has not described CVE-2026-49794 as a route to code execution, privilege escalation, persistent compromise, or denial of service. It should therefore not be presented as a conventional USB-delivered malware infection, even though the vulnerable code operates in the Windows hardware stack.
The physical attack requirement sharply reduces Internet-scale exposure. A threat actor cannot exploit this bug merely by sending an email, hosting a website, or scanning an exposed service. An attacker must be able to present malicious USB audio hardware to the target system, either directly or through an environment that effectively forwards the device.
That still matters in places where USB access is difficult to control. Public terminals, conference-room PCs, reception systems, classrooms, laboratories, shared editing stations, and unattended operational workstations may all accept peripherals from people who are not trusted administrators. Physical access is a meaningful security boundary, but it is not automatically a strong one.
The July updates move affected installations to at least these builds:
The build thresholds are more dependable than checking whether a particular headset or sound card is currently attached. A vulnerable driver can remain installed as part of Windows even when the machine does not normally use USB audio. Hardware configurations also change, especially on portable systems and machines serviced by local technicians.
Administrators should verify deployment through Windows build inventory, update-compliance reporting, or endpoint-management tools rather than relying only on a successful-update status. Devices that were offline during the July rollout, machines held behind safeguard policies, and systems receiving Extended Security Updates deserve separate attention.
The National Vulnerability Database was still enriching its entry after publication on July 14. CISA’s initial Stakeholder-Specific Vulnerability Categorization data recorded no known exploitation, assessed the attack as non-automatable, and described the technical impact as partial. Those observations support a measured response rather than emergency shutdowns of every USB port.
For ordinary home PCs, applying the July cumulative update through Windows Update is the appropriate response. Users do not need to remove legitimate USB headsets after installing the corrected build, nor is there evidence in the available advisory that normal audio devices are inherently unsafe.
Enterprise handling should account for exposure. Organizations with tightly controlled offices can deploy the update through their normal Patch Tuesday cycle, while environments permitting public or contractor access to USB ports have reason to move faster. Existing device-control policies can provide useful defense in depth while updates propagate.
Disabling all removable storage is not necessarily enough because USB Audio is a different device class. Security teams using Microsoft Defender for Endpoint device control, Group Policy installation restrictions, or third-party endpoint-control products should confirm that their rules cover unauthorized audio-class and composite USB devices—not only flash drives.
Installing the July 2026 Windows security update is the definitive remediation. Device restrictions reduce opportunity but do not correct the faulty boundary handling in
Testing is particularly important where a manufacturer-supplied package works alongside or overrides parts of Microsoft’s class-driver stack. The vulnerability record specifically names
No compatibility problem has been tied to the CVE fix in the initial disclosure. Still, organizations should distinguish an audio regression discovered during rollout from evidence of exploitation; a peripheral failing after an update does not by itself indicate an attack.
CVE-2026-49794 is not the most urgent kind of Windows vulnerability: it is neither remotely exploitable nor currently known to be under attack. Its reach is nevertheless unusually broad, and the low-complexity, no-privilege attack conditions make it relevant wherever strangers, visitors, students, contractors, or customers can connect hardware. The immediate milestone for administrators is concrete—bring every affected system to the July 2026 fixed build or later, then verify that USB device-control policy matches the machine’s real physical exposure.
usbaudio.sys. The vulnerability requires physical access, but it spans supported Windows 10, Windows 11, and Windows Server releases, making the cumulative updates relevant to desktops, shared workstations, kiosks, and other systems where untrusted USB hardware can be connected.Detailed in the Microsoft Security Response Center’s Security Update Guide and corroborated by the National Vulnerability Database, CVE-2026-49794 is an out-of-bounds read. Microsoft assigned it a CVSS 3.1 score of 4.6, placing it in the Medium severity range. The available data indicates that a successful attack could expose confidential information without changing data or disrupting system availability.
The disclosure was published as part of Microsoft’s July 2026 Patch Tuesday release. Although the technical description is brief, Microsoft is the assigning authority and has identified the affected component, weakness class, attack requirements, and fixed Windows build thresholds.
A Malicious USB Audio Device Is the Practical Threat
usbaudio.sys is Microsoft’s built-in driver for devices that conform to the USB Audio class. Windows can load it automatically when compatible equipment is attached, allowing common peripherals such as USB microphones, headsets, speakers, audio interfaces, and some composite devices to operate without a separate vendor driver.CVE-2026-49794 arises when the driver performs an out-of-bounds read, categorized as CWE-125. In practical terms, the driver may read beyond the intended boundary of a memory buffer while processing information supplied through a USB audio device. Data from adjacent memory could then be exposed to the attacker.
Microsoft’s CVSS vector is
AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. That dense string contains the most useful details currently available: exploitation requires physical access, attack complexity is low, no existing account or privileges are required, and no additional user interaction is needed once the attack conditions are established.The confidentiality rating is High, while integrity and availability are rated None. Microsoft has not described CVE-2026-49794 as a route to code execution, privilege escalation, persistent compromise, or denial of service. It should therefore not be presented as a conventional USB-delivered malware infection, even though the vulnerable code operates in the Windows hardware stack.
The physical attack requirement sharply reduces Internet-scale exposure. A threat actor cannot exploit this bug merely by sending an email, hosting a website, or scanning an exposed service. An attacker must be able to present malicious USB audio hardware to the target system, either directly or through an environment that effectively forwards the device.
That still matters in places where USB access is difficult to control. Public terminals, conference-room PCs, reception systems, classrooms, laboratories, shared editing stations, and unattended operational workstations may all accept peripherals from people who are not trusted administrators. Physical access is a meaningful security boundary, but it is not automatically a strong one.
The Fix Reaches Across the Windows Fleet
The affected-product record covers a wide range of Windows generations, including versions still maintained through specialized or extended servicing arrangements. Systems running builds below Microsoft’s listed fixed thresholds remain vulnerable.The July updates move affected installations to at least these builds:
- Windows 10 version 1607 and Windows Server 2016 are fixed at build 14393.9339.
- Windows 10 version 1809 and Windows Server 2019 are fixed at build 17763.9020.
- Windows 10 version 21H2 is fixed at build 19044.7548.
- Windows 10 version 22H2 is fixed at build 19045.7548.
- Windows Server 2022 is fixed at build 20348.5386.
- Windows 11 version 24H2 is fixed at build 26100.8875.
- Windows 11 version 25H2 is fixed at build 26200.8875.
- Windows 11 version 26H1 is fixed at build 28000.2269.
- Windows Server 2025 is fixed at build 26100.33158.
- Windows Server 2012 is fixed at build 9200.26226, while Windows Server 2012 R2 is fixed at build 9600.23291.
The build thresholds are more dependable than checking whether a particular headset or sound card is currently attached. A vulnerable driver can remain installed as part of Windows even when the machine does not normally use USB audio. Hardware configurations also change, especially on portable systems and machines serviced by local technicians.
Administrators should verify deployment through Windows build inventory, update-compliance reporting, or endpoint-management tools rather than relying only on a successful-update status. Devices that were offline during the July rollout, machines held behind safeguard policies, and systems receiving Extended Security Updates deserve separate attention.
Medium Severity Does Not Mean No Action
The 4.6 score reflects the constrained attack path, not uncertainty about whether the vulnerability exists. Microsoft has confirmed the defect and supplied affected-version boundaries. What remains limited is the amount of public technical detail: there is no disclosed proof-of-concept, malicious USB descriptor sequence, leaked-memory example, or public root-cause analysis in the initial advisory.The National Vulnerability Database was still enriching its entry after publication on July 14. CISA’s initial Stakeholder-Specific Vulnerability Categorization data recorded no known exploitation, assessed the attack as non-automatable, and described the technical impact as partial. Those observations support a measured response rather than emergency shutdowns of every USB port.
For ordinary home PCs, applying the July cumulative update through Windows Update is the appropriate response. Users do not need to remove legitimate USB headsets after installing the corrected build, nor is there evidence in the available advisory that normal audio devices are inherently unsafe.
Enterprise handling should account for exposure. Organizations with tightly controlled offices can deploy the update through their normal Patch Tuesday cycle, while environments permitting public or contractor access to USB ports have reason to move faster. Existing device-control policies can provide useful defense in depth while updates propagate.
Disabling all removable storage is not necessarily enough because USB Audio is a different device class. Security teams using Microsoft Defender for Endpoint device control, Group Policy installation restrictions, or third-party endpoint-control products should confirm that their rules cover unauthorized audio-class and composite USB devices—not only flash drives.
Installing the July 2026 Windows security update is the definitive remediation. Device restrictions reduce opportunity but do not correct the faulty boundary handling in
usbaudio.sys.Patch Validation Should Include the Audio Stack
Because the fix touches a broadly used in-box audio component, staged deployment remains sensible. IT teams should test representative USB microphones, headsets, docking stations, conferencing systems, digital-to-analog converters, MIDI-capable equipment, and specialized recording interfaces after installing the update.Testing is particularly important where a manufacturer-supplied package works alongside or overrides parts of Microsoft’s class-driver stack. The vulnerability record specifically names
usbaudio.sys, but real Windows audio configurations can combine Microsoft components, vendor extensions, filter drivers, and composite-device functions.No compatibility problem has been tied to the CVE fix in the initial disclosure. Still, organizations should distinguish an audio regression discovered during rollout from evidence of exploitation; a peripheral failing after an update does not by itself indicate an attack.
CVE-2026-49794 is not the most urgent kind of Windows vulnerability: it is neither remotely exploitable nor currently known to be under attack. Its reach is nevertheless unusually broad, and the low-complexity, no-privilege attack conditions make it relevant wherever strangers, visitors, students, contractors, or customers can connect hardware. The immediate milestone for administrators is concrete—bring every affected system to the July 2026 fixed build or later, then verify that USB device-control policy matches the machine’s real physical exposure.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com
- Official source: learn.microsoft.com
USB Audio Class System Driver (Usbaudio.sys) - Windows drivers | Microsoft Learn
The USB Audio class system driver (Usbaudio.sys) is an AVStream minidriver that provides driver support for audio devices that comply with the Universal Serial Bus (USB) Device Class Definition for Audio Devices.learn.microsoft.com