CVE-2026-50479: Patch Windows USB Hub Elevation Bug

CVE-2026-50479, an elevation-of-privilege vulnerability in the Windows USB Hub Driver, is fixed in Microsoft’s July 14, 2026 security updates for affected Windows 10 and Windows Server releases. Administrators should deploy the relevant cumulative update because successful exploitation could give a locally authenticated attacker high-impact control over a vulnerable system.
Microsoft rates the flaw Important with a CVSS 3.1 base score of 7.8. Detailed in the Microsoft Security Response Center’s Security Update Guide and recorded by the National Vulnerability Database, the vulnerability stems from an untrusted pointer dereference in the USB hub driver.
The vulnerability was not publicly disclosed or known to be exploited when Microsoft published its advisory. Microsoft assesses exploitation as “Less Likely,” but no mitigation or workaround is listed; installing the security update is the available remediation.

Cybersecurity dashboard showing a driver vulnerability patched, systems protected, and deployment progress monitored.A Local Foothold Could Become Full System Control​

CVE-2026-50479 is not a remote, unauthenticated entry point. Its CVSS vector specifies local access and low privileges, meaning an attacker must already be able to execute code or sign in on the target computer before attempting exploitation.
That requirement limits the immediate exposure compared with a remotely exploitable USB-stack vulnerability. It does not make the flaw harmless. Elevation-of-privilege bugs are routinely used as the second stage of an attack, turning access obtained through phishing, malicious software, a compromised standard account, or another vulnerability into much deeper control.
Microsoft’s scoring indicates low attack complexity and no additional user interaction. Once the attacker has the required foothold, exploitation reportedly does not depend on another user opening a file, approving a prompt, or connecting a specially prepared peripheral.
The confidentiality, integrity, and availability impact ratings are all High. In practical terms, Microsoft considers a successful attack capable of causing a complete loss of protection across those three areas, potentially allowing access to sensitive data, modification of system resources, and disruption of the affected machine.
The scope remains unchanged under the CVSS model, so the vulnerability does not cross into a separately governed security authority. For defenders, however, the main distinction is simpler: a low-privileged account could potentially be converted into substantially more powerful access on the same Windows installation.

The Fault Sits in a Trusted Driver Boundary​

Microsoft associates CVE-2026-50479 with CWE-822, Untrusted Pointer Dereference. This class of weakness occurs when privileged code uses a pointer that cannot be trusted, potentially causing it to read from or write to an unintended memory location.
That is particularly significant in a Windows driver. USB hub handling is part of the operating system’s hardware-support path, and driver code executes within a far more privileged context than an ordinary desktop application. A pointer-handling mistake at that boundary can therefore become a route from user-level access toward operating-system privileges.
Microsoft has not published proof-of-concept code, memory-layout details, or a step-by-step attack sequence. The available description also does not establish that inserting a malicious USB device is sufficient—or even required—to exploit the bug. The CVSS vector identifies the attack as local, but administrators should not interpret the component name alone as evidence that physical access is necessary.
The distinction matters for endpoint policy. Blocking removable storage may still be useful as a broader security control, but Microsoft does not list it as a mitigation for CVE-2026-50479. Device-control rules should not be treated as a substitute for the July update.
The advisory’s report-confidence metric is Confirmed. That designation means the vulnerability’s existence has been confirmed by Microsoft or is supported by sufficiently detailed technical evidence. It raises confidence that the flaw is real, but it does not mean exploit code is circulating or attacks have been observed.

Affected Systems Center on Windows 10 and Windows Server​

Microsoft’s CVE record identifies Windows 10 versions 1809, 21H2, and 22H2, along with Windows Server 2019, Windows Server 2022, and Windows Server 2025. Server Core installations are explicitly included for Windows Server 2019 and Windows Server 2025.
The corrected build thresholds published with the CVE are:
  • Windows 10 version 1809 and Windows Server 2019 are protected at OS Build 17763.9020 or later.
  • Windows 10 version 21H2 is protected at OS Build 19044.7548 or later.
  • Windows 10 version 22H2 is protected at OS Build 19045.7548 or later.
  • Windows Server 2022 is protected at OS Build 20348.5386 or later.
  • Windows Server 2025 is protected at OS Build 26100.33158 or later.
For Windows 10 version 1809 and Windows Server 2019, the relevant July cumulative update is KB5099538. Windows 10 versions 21H2 and 22H2 receive the fix through KB5099539, while Windows Server 2022 uses KB5099540 and Windows Server 2025 uses KB5099536.
Windows 11 is not listed among the affected products in the initial CVE record. Administrators should follow Microsoft’s product table rather than assume that every Windows release using USB hubs contains the vulnerable implementation.
Support status remains important. Windows 10 version 22H2 reached the end of ordinary support on October 14, 2025, so continued security servicing depends on eligibility for the Windows 10 Extended Security Updates program or another supported servicing channel. Windows 10 Enterprise LTSC editions remain governed by their separate lifecycle dates.
Organizations maintaining older Windows installations should verify that the July update was actually offered and installed. A device that appears in inventory as “Windows 10” may be on a consumer build outside normal support, an ESU-enrolled deployment, or an LTSC release with a different servicing position.

Patch Verification Is Better Than USB Guesswork​

Because Microsoft offers no workaround, the immediate operational task is to confirm cumulative-update coverage. Windows Update, Windows Update for Business, Microsoft Configuration Manager, Windows Server Update Services, and the Microsoft Update Catalog can all provide the applicable packages.
Administrators can verify remediation with winver, PowerShell inventory, endpoint-management reporting, or their vulnerability-management platform. The installed OS build should meet or exceed the corrected build for that product; merely seeing a successful update scan does not prove that the July cumulative update finished installing.
Testing remains appropriate before broad server deployment because July’s cumulative packages contain other security and quality changes. Microsoft reports a BitLocker recovery-key issue affecting a limited set of Windows Server 2022 systems with an unrecommended PCR7 Group Policy configuration. That deployment concern does not remove the need to patch CVE-2026-50479, but it gives administrators a reason to audit affected BitLocker policy before restarting critical servers.
Security teams should also avoid over-prioritizing this flaw solely because it touches USB. At publication, Microsoft reported no active exploitation, no public disclosure, and no known proof of concept. Internet-facing remote-code-execution bugs and vulnerabilities already used in attacks may warrant faster emergency handling.
CVE-2026-50479 nevertheless belongs in the normal July 2026 patch cycle without unnecessary delay. Its low-complexity, no-user-interaction profile makes it a credible privilege-escalation building block if attackers develop a reliable technique.
The practical finish line is measurable: Windows 10 systems should reach builds 17763.9020, 19044.7548, or 19045.7548 as applicable, Windows Server 2022 should reach 20348.5386, and Windows Server 2025 should reach 26100.33158. Until those builds or later cumulative updates are installed, the affected USB Hub Driver remains exposed.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
 

Back
Top