CVE-2026-58528: July Updates Fix Windows USB Audio Data Leak

Microsoft’s July 14, 2026 security updates fix CVE-2026-58528, an out-of-bounds read in the Windows USB Audio Class driver, usbaudio.sys, that can expose information when an attacker has physical access to a vulnerable PC. The flaw carries a CVSS 3.1 score of 6.8 and is rated Important by Microsoft, but its physical-access requirement makes it a different operational priority from the month’s remotely exploitable Windows bugs.
Microsoft’s Security Update Guide lists the issue as an information disclosure vulnerability and says customer action is required. The underlying CVE record describes an attacker with access to a machine or connected USB interface triggering an out-of-bounds read in the class driver used for USB audio hardware. Microsoft has not reported public disclosure or active exploitation, and its Exploitability Index marks the issue Exploitation Less Likely.
That is not a reason to leave the update uninstalled. It is a reason to put the risk in its proper place: this is chiefly a patching and physical-device-control problem for managed Windows fleets, shared workstations, labs, kiosk deployments, and servers where untrusted peripherals can be connected.

Infographic showing a USB audio driver vulnerability, security update, and enterprise patch deployment.The vulnerable component sits beneath ordinary USB audio hardware​

usbaudio.sys is Windows’ inbox driver for USB Audio Class devices. It exists so standard USB headsets, microphones, speakerphones, docks, monitor audio interfaces, and other compatible devices can work without a vendor-specific driver package.
The downside of such a broadly used class driver is exposure to a huge and varied peripheral ecosystem. A malicious device does not need to present itself as an obviously suspicious USB storage stick; a device claiming to be an audio endpoint, or a composite device exposing an audio function, can be relevant to the affected code path.
Microsoft attributes CVE-2026-58528 to Jonghoi Kim and Donghyeon Oh of Patchpoint. The public advisory does not provide a proof of concept, precise malformed descriptor details, or a reproduction sequence. That restraint is significant: administrators should avoid filling gaps in the advisory with assumptions about which brands of headset, dock, microphone, or USB-C monitor are vulnerable. The vulnerability is in the Windows driver’s handling of hostile input, not an indictment of compliant audio products.
The defect is classified as CWE-125, an out-of-bounds read. In practical terms, that means the driver may read data past the intended boundary of a memory buffer after processing specially crafted input. Microsoft labels the impact as information disclosure, although the published CVSS vector assigns high confidentiality, integrity, and availability impacts. The safer conclusion is not that the bug independently delivers a full system takeover, but that kernel-driver memory-safety faults can have broad consequences when a workable exploit chain is developed.

Physical access changes the response, not the need to patch​

The CVSS vector begins with AV:P, meaning the attack vector is physical. An attacker must be able to interact with the target hardware rather than simply reach it over the network or persuade a user to open a document. No privileges or user interaction are listed as prerequisites.
That requirement lowers the odds of indiscriminate internet-scale abuse, and Microsoft’s current “Exploitation Less Likely” assessment reinforces that judgement. Microsoft defines that category as cases where exploit code may be possible but reliably producing it is expected to require expertise, sophisticated timing, or conditions that make exploitation less attractive. The vendor can revise that assessment if new information changes the near-term risk picture.
But physical access is not a niche concern in enterprise IT. Consider reception PCs, conference-room systems, classroom devices, retail endpoints, developer workstations, airport or field-service laptops, and production systems in environments with contractors or rotating staff. In those settings, “someone can plug in a peripheral” is often an ordinary condition, not an extraordinary breach.
USB-C also makes peripheral trust boundaries less visible than they were in the era of standalone audio jacks. One cable can carry docking, charging, display, Ethernet, storage, HID input, and audio functions. Asset-control policies that focus solely on removable storage may not fully address devices that enumerate as a mixture of functions, including USB audio.
For home users, the immediate action is straightforward: install the July cumulative update through Windows Update and restart when required. There is no Microsoft-issued workaround that substitutes for patching, and disconnecting every headset is neither durable nor necessary once the system is current.

July’s cumulative updates carry the fix across supported Windows releases​

The remediation is included in Microsoft’s July 2026 cumulative updates rather than delivered as a separate USB audio driver package. Microsoft’s affected-software data identifies Windows 10, Windows 11, and supported Windows Server releases.
At minimum, administrators should confirm the following build thresholds or later versions are installed:
ProductPatched build
Windows 10 version 1809 / Windows Server 201917763.9020
Windows 10 versions 21H2 and 22H219044.7548 / 19045.7548
Windows Server 202220348.5386
Windows 11 versions 24H2 and 25H226100.8875 or later
Windows Server 202526100.33158
Windows 11 version 26H128000.2525
Microsoft’s support documentation identifies KB5099538 as the July 14 cumulative update for Windows 10 version 1809 and Windows Server 2019, KB5099536 for Windows Server 2025, and KB5101649 for Windows 11 version 26H1. Windows 11 24H2 and 25H2 systems receive the relevant July servicing through their own cumulative update track, including KB5101650.
The exact KB matters because the July release includes far more than this one USB audio defect. Windows servicing is cumulative: a device already carrying a newer supported build has the security correction, even if it did not install the original July package by its KB number. Conversely, an endpoint shown as compliant merely because it installed some July update should be checked against its applicable product and build.
For WSUS, Microsoft Configuration Manager, Windows Update for Business, Intune, and Autopatch environments, this should be normal quality-update work. Administrators should first validate the applicable July cumulative updates in a pilot ring, with particular attention to endpoints that use USB docks, conferencing hardware, professional audio interfaces, industrial peripherals, and locked-down kiosk configurations.

Device control remains a useful compensating layer​

Patching removes the known vulnerable code path. It does not make arbitrary USB devices trustworthy, nor does it solve every risk created by a physically accessible endpoint.
Organizations that cannot patch immediately should review their existing controls around peripheral connection rather than inventing a one-off block for USB Audio Class devices. Broadly disabling USB audio can break headsets, conference-room equipment, accessibility devices, call-center workflows, and USB-C docking arrangements. It may also create help-desk pressure that encourages users to find unmanaged workarounds.
The more proportionate interim approach is to apply controls where exposure is greatest:
  • Shared, kiosk, lab, and public-facing systems should restrict unauthorized peripheral use through their established endpoint and physical-security policies.
  • Privileged access workstations and administrator jump hosts should have a particularly tight policy for unknown USB devices, including seemingly harmless headsets and docks.
  • Teams should inventory conferencing rooms and dock-heavy workstation groups before broad deployment so post-update testing covers the hardware that actually matters.
  • Security operations staff should treat unexpected USB device-enumeration events on sensitive systems as potentially relevant telemetry, not merely as an asset-management nuisance.
This is also a reminder that physical attack in a CVSS vector does not mean an attacker must literally sit at the keyboard. Supply-chain substitutions, malicious loaner devices, compromised docking stations, and opportunistic access to unattended equipment can all create the condition required to present hostile USB input.

CVE-2026-58528 does not currently demand the same emergency posture as an exploited remote code execution flaw. Microsoft reports no active exploitation, no public disclosure, and a lower likelihood of reliable exploit development. Still, the patch is already available in the July 14 cumulative updates, and the affected component operates in a privileged part of Windows where a malformed peripheral should never be trusted to fail safely. For most organizations, the practical milestone is simple: verify July build compliance across USB-exposed endpoints before the next device someone plugs in becomes the test case.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
 

Back
Top