CVE-2026-50479 is a Windows USB Hub Driver elevation of privilege vulnerability caused by an untrusted pointer dereference. It affects Windows 10 1809, 21H2, and 22H2, as well as Windows Server 2019, 2022, and 2025. The CVSS v3.1 base score is 7.8 (High) with a temporal score of 6.8; the vector is local, low complexity, low privileges required, no user interaction, and unchanged scope. Microsoft reports no public disclosure and no known exploitation, with exploit code maturity unproven. Because this is a local privilege escalation issue, enterprise risk is highest on systems where low-privileged local access is possible. Highlights: - CVSS scores: Base 7.8 - Temporal 6.8 - Exploit status & code maturity: Publicly Disclosed: No; Exploited: No; Exploit Code Maturity: UNPROVEN - Impact: Elevation of Privilege with HIGH confidentiality, HIGH integrity, and HIGH availability impacts - Exploitation likelihood: Exploitation Less Likely; local vector, LOW attack complexity, LOW privileges required, and NO user interaction - Severity for enterprise: High severity as scored, but primarily a local-only risk rather than a network-exposed service risk - Patch status: available; customer action required Affected systems: - Windows 10 1809 - Windows 10 21H2 - Windows 10 22H2 - Windows Server 2019 - Windows Server 2022 - Windows Server 2025