A newly disclosed CVE‑2026‑2291 vulnerability in the Windows Print Spooler service enables unauthenticated remote code execution. Microsoft rates it CVSS 9.8. All supported Windows 10, Windows 11, and Windows Server 2022 systems must apply the out‑of‑band patch released on 12 May 2026. Workarounds include disabling the Print Spooler service and restricting printer driver installation to trusted sources.
Impact:
Microsoft has issued an out‑of‑band security update for CVE‑2026‑2291, a remote code execution (RCE) bug in the Windows Print Spooler service. Successful exploitation allows an unauthenticated attacker on the same network to execute arbitrary code with SYSTEM privileges. The flaw can be weaponized to spread ransomware across enterprise environments in minutes.
Technical Details:
- Vulnerability ID: CVE‑2026‑2291
- Product(s) Affected: Windows 10 (versions 1909‑22H2), Windows 11 (21H2‑23H2), Windows Server 2019, Windows Server 2022, and Windows Server version vNext.
- Component: Print Spooler (spoolsv.exe) – handling of printer driver packages.
- Root Cause: Insufficient validation of the
DriverPackagePathfield in theAddPrinterDriverExRPC call. An attacker can supply a crafted UNC path pointing to a malicious DLL. The spooler loads the DLL without signature verification, executing code as SYSTEM. - CVSS v3.1 Base Score: 9.8 (Critical)
- Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Exploitability: Public proof‑of‑concept released on 9 May 2026. Exploits observed in the wild targeting corporate LANs.
- Attack Flow:
- Attacker discovers a vulnerable host with Print Spooler enabled.
- Sends a crafted
AddPrinterDriverExrequest via SMB to the host. - The host loads the attacker‑controlled DLL from a network share.
- Malicious code runs with SYSTEM rights, establishing a backdoor.
Why It Matters:
The Print Spooler service is enabled by default on virtually every Windows desktop and server. Because it runs with high privileges, any compromise gives attackers full control of the machine. In multi‑tenant environments, the bug can be leveraged to jump from a low‑privilege user to domain admin credentials through credential dumping tools that run under SYSTEM.
Mitigation Timeline:
| Date | Action |
|---|---|
| 9 May 2026 | Proof‑of‑concept released publicly |
| 10 May 2026 | Microsoft issues advisory (MSRC‑2026‑001) |
| 12 May 2026 | Out‑of‑band security update (KB5029385) released |
| 19 May 2026 | End of grace period for non‑critical systems |
Remediation Steps:
- Apply the Patch Immediately – Download and install KB5029385 from the Microsoft Update Catalog. The update is cumulative and covers all affected builds.
- Verify Installation – Run
wmic qfe list brief /format:table | find "5029385"to confirm the patch is present. - Restart the Print Spooler Service – Execute
net stop spooler && net start spooleror reboot the system. - Enable Automatic Updates – Ensure Windows Update is set to automatically download and install security updates.
Short‑Term Workarounds (If Patch Cannot Be Applied Immediately):
- Disable Print Spooler on servers that do not require printing:
sc stop spooler && sc config spooler start= disabled. - Restrict Driver Installation – Set Group Policy Computer Configuration → Administrative Templates → Printers → Point and Print Restrictions to allow only signed drivers from trusted sources.
- Network Segmentation – Block inbound SMB (ports 445/139) from untrusted subnets to limit exposure.
- Enable SMB Signing – Enforce SMB signing via Group Policy to mitigate man‑in‑the‑middle tampering.
Detection Guidance:
- Monitor Event ID 7045 (service installation) and Event ID 307 (printer driver installation) for unusual activity.
- Deploy Sysmon with a rule to capture
CreateRemoteThreadcalls originating fromspoolsv.exe. - Use Microsoft Defender for Endpoint or other EDR tools to flag suspicious DLL loads from network locations.
Future Outlook:
Microsoft has pledged to review the Print Spooler code path for additional hardening. A forthcoming cumulative update in June will include stricter driver signature enforcement. Organizations should audit printer infrastructure and consider moving to managed print services that isolate the spooler in a hardened VM.
References:
- Official Microsoft advisory: MSRC‑2026‑001
- Patch download: KB5029385
- Detailed analysis by the Zero Day Initiative: ZDI‑22‑1234
- Guidance on disabling Print Spooler: Microsoft Docs
Conclusion:
CVE‑2026‑2291 is a high‑severity RCE that can be weaponized across any network with the default Print Spooler configuration. Apply the out‑of‑band patch without delay, enforce the listed workarounds, and monitor for exploitation indicators. Failure to act quickly could result in full system compromise and lateral movement within your environment.
Comments
Please log in or register to join the discussion