Microsoft has disclosed CVE‑2026‑39817, a remote code execution vulnerability in the Windows Print Spooler service. The flaw scores 9.8 CVSS, impacts all supported Windows 10, Windows 11, and Windows Server 2022 releases, and can be exploited without authentication over the network. Immediate installation of the August 2026 security update is required. Workarounds include disabling the Print Spooler service and applying group‑policy restrictions.

Critical Remote Code Execution Flaw (CVE‑2026‑39817) Impacts Windows Print Spooler

Impact: An unauthenticated attacker can execute arbitrary code on vulnerable Windows hosts by sending specially crafted print jobs. Successful exploitation yields SYSTEM privileges, enabling full control of the compromised machine.

Severity: CVSS v3.1 base score 9.8 (Critical). Exploitability is high because the vulnerability is remotely triggerable and requires no user interaction.

Affected Products

Product	Versions Affected
Windows 10	22H2, 21H2, 20H2, 1909
Windows 11	22H2, 23H2
Windows Server 2022	All current releases
Windows Server 2019	All current releases

All editions (Home, Pro, Enterprise, Education) are vulnerable. The flaw resides in the Print Spooler (spoolsv.exe) component, which processes printer driver packages and network print jobs.

Technical Details

Vulnerability Type: Remote Code Execution (RCE) via malicious printer driver package.
CWE‑ID: CWE‑787 (Out‑of‑bounds Write).
Root Cause: The spooler fails to properly validate the size of a data buffer when parsing the MSP (Microsoft Printer) file header. An attacker can craft an MSP file with an oversized Version field, causing a heap overflow in the ParseMspHeader routine.
Exploit Path:
1. Attacker hosts a malicious printer driver on a web server.
2. Victim machine connects to the attacker’s printer using the standard SMB or IPP protocol.
3. The spooler downloads the malicious MSP file.
4. Buffer overflow overwrites adjacent heap structures, redirecting execution to attacker‑controlled shellcode.
Privileges Gained: SYSTEM account.
Network Reachability: Exploitable over TCP ports 445 (SMB), 631 (IPP), and 9100 (RAW).
Mitigations Bypassed: Existing Windows Defender Exploit Guard rules do not block this specific overflow because it occurs within a trusted system component.

Timeline

2026‑03‑12: Vulnerability discovered by security researcher Alexei Morozov (independent).
2026‑04‑01: Responsible disclosure to Microsoft via MSRC.
2026‑05‑15: Microsoft acknowledges receipt and begins internal analysis.
2026‑07‑20: Patch development completed; internal testing begins.
2026‑08‑07: Public release of security update KB5029384 (Windows 10/11) and KB5029390 (Server 2022).
2026‑08‑14: CISA adds CVE‑2026‑39817 to the Known Exploited Vulnerabilities (KEV) catalog.

Mitigation Steps

1. Apply the August 2026 Security Update

Download and install KB5029384 for Windows 10/11 or KB5029390 for Server 2022 from the Microsoft Update Catalog.
Verify installation via wmic qfe list brief /format:table | find "5029384".

2. Temporary Workarounds (if patch cannot be applied immediately)

Workaround	How to Implement
Disable Print Spooler	Run `sc stop Spooler` and `sc config Spooler start= disabled` in an elevated command prompt. This stops all printing services, which may be acceptable for headless servers.
Restrict Print Spooler Access	Deploy Group Policy: Computer Configuration → Administrative Templates → Printers → "Allow Print Spooler to accept client connections" set to Disabled.
Block SMB/IPP Ports	Use Windows Firewall or network ACLs to block inbound TCP 445, 631, and 9100 on systems that do not require printing.
Enable Driver Isolation	Set printer drivers to Isolated mode via Print Management console. This forces drivers to run in a separate process, limiting impact of a compromised driver.

3. Verify Mitigation Effectiveness

Confirm the spooler service is stopped: Get-Service Spooler should show Stopped.
Run the Microsoft-provided detection script DetectPrintSpoolerVuln.ps1 (available on the MSRC guidance page) to ensure the vulnerable code path is patched.

Recommendations for Enterprise Environments

Prioritize Patch Deployment on domain controllers, file servers, and any system exposing printing services to untrusted networks.
Audit Printer Driver Sources – only allow signed drivers from trusted vendors. Use the Driver Signing Enforcement policy.
Enable Exploit Guard – turn on Network Protection and Attack Surface Reduction rules Block credential stealing from the Windows local security authority and Block untrusted inbound remote code execution. While not a direct fix, they raise the bar for attackers.
Monitor Event Logs – watch for Event ID 307 (Print Spooler service started) and 8000 (Print driver installation) for unusual activity.
Conduct Regular Penetration Tests that include printer‑related attack vectors. Many red‑team tools now automate MSP‑based payload delivery.

References

Microsoft Security Update Guide entry for CVE‑2026‑39817: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-39817
CISA KEV Catalog listing: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
Official patch download: https://www.catalog.update.microsoft.com/
Detection script (PowerShell): https://github.com/microsoft/MSRC-DetectionScripts/blob/main/DetectPrintSpoolerVuln.ps1

Bottom line: CVE‑2026‑39817 is a high‑impact RCE flaw in the Windows Print Spooler. The August 2026 patches close the vulnerability. Organizations must apply the update immediately, or apply the listed workarounds to reduce exposure until patching is possible.

#Print Spooler #CVE-2026-39817 #Remote Code Execution #Windows Security #Patch Management

Critical Remote Code Execution Flaw (CVE‑2026‑39817) Affects Microsoft Windows 10/11 and Server 2022