#Vulnerabilities

Critical Remote Code Execution Flaw (CVE‑2026‑41672) Affects Microsoft Windows 11 and Server 2022

Vulnerabilities Reporter
3 min read

Microsoft has released emergency patches for CVE‑2026‑41672, a remote code execution vulnerability in the Windows Print Spooler service. The flaw scores 9.8 CVSS, can be exploited without authentication, and affects Windows 11 22H2, Windows Server 2022, and several legacy builds. Administrators must apply the MSRC security update immediately and disable the spooler on exposed systems.

Immediate Impact

A remote code execution (RCE) vulnerability has been disclosed in the Windows Print Spooler service. The flaw, tracked as CVE‑2026‑41672, allows an unauthenticated attacker to execute arbitrary code with SYSTEM privileges on vulnerable hosts. The CVSS base score is 9.8 (Critical). Exploitation requires only network access to the spooler port (TCP 445 or 139).

Affected products include:

  • Windows 11, version 22H2 (build 22621 and later)
  • Windows Server 2022 (all editions)
  • Windows 10 Enterprise, version 21H2 (build 19044) – only when the Print Spooler is enabled
  • Windows Server 2019 (when the spooler service is running)

Microsoft has classified this as a Zero‑Day because active exploitation was observed in the wild within hours of discovery.

Technical Details

The vulnerability resides in the RpcAddPrinterDriverEx function, which fails to properly validate driver package signatures when processing a specially crafted RPC request. An attacker can craft a malicious driver package that contains a DLL with a payload. When the spooler loads the driver, the DLL runs with SYSTEM rights, giving the attacker full control of the host.

Key points of the exploit chain:

  1. Discovery – The attacker scans for open TCP 445/139 ports and confirms the presence of the Print Spooler service.
  2. Driver Injection – Using a malformed RPC call, the attacker supplies a path to a malicious driver package hosted on a remote SMB share.
  3. Signature Bypass – The spooler neglects to enforce the mandatory code‑signing policy for drivers delivered via this RPC path.
  4. Execution – The spooler loads the malicious DLL, executing the payload under the SYSTEM account.

The vulnerability does not require user interaction and works across domain‑joined and workgroup machines. Lateral movement is possible because the spooler service is often enabled by default on domain controllers and file servers.

Mitigation Steps

  1. Apply the MSRC Security Update – Microsoft released patches on 2026‑04‑30. The update is identified as KB5029384 for Windows 11/Server 2022. Install via Windows Update, WSUS, or SCCM without delay.
  2. Disable the Print Spooler on non‑essential systems – Run sc stop Spooler and sc config Spooler start= disabled on servers that do not require printing services.
  3. Enforce driver signing – Ensure the Group Policy Computer Configuration → Administrative Templates → Printers → Point and Print Restrictions is set to Enabled and Only approved drivers.
  4. Network segmentation – Block inbound traffic to ports 445 and 139 from untrusted networks. Use firewall rules to restrict spooler access to known printer subnets.
  5. Monitor for exploitation – Deploy detection rules in Microsoft Defender for Endpoint or Sysmon to flag anomalous RPC calls to RpcAddPrinterDriverEx. Look for event ID 3008 with unusual driver paths.

Timeline

  • 2026‑04‑20 – Vulnerability reported to Microsoft via the MSRC Coordinated Disclosure Program.
  • 2026‑04‑25 – Private advisory released to affected customers under NDA.
  • 2026‑04‑30 – Public release of security update KB5029384; advisory posted on the Microsoft Security Update Guide.
  • 2026‑05‑02 – First active exploitation observed targeting government agencies in Europe.
  • 2026‑05‑07 – CISA adds CVE‑2026‑41672 to its Known Exploited Vulnerabilities (KEV) Catalog.

What to Do Now

  1. Verify that the KB5029384 patch is installed on all Windows 11 and Server 2022 machines.
  2. Run Get-WindowsUpdateLog or use the Windows Update compliance reports to confirm deployment status.
  3. If any system cannot be patched immediately, disable the Print Spooler service and enforce strict firewall rules.
  4. Review audit logs for any RPC calls to the spooler that occurred in the past 72 hours.
  5. Update your incident response playbook to include this RCE vector.

Broader Context

CVE‑2026‑41672 is the latest in a series of Print Spooler vulnerabilities that have plagued Windows for years (e.g., PrintNightmare, CVE‑2021‑34527). The recurring theme is the difficulty of balancing legacy printer support with modern security expectations. Microsoft’s rapid patch cadence reflects the high risk associated with spooler‑related code execution paths.

Organizations that continue to rely on legacy printers should consider migrating to IP‑based printing solutions that do not require the Windows spooler, or deploy Print Server Isolation to contain potential compromises.

Stay vigilant. Apply the patch. Disable unnecessary services.

#Windows#Print Spooler#CVE-2026-41672#Remote Code Execution#Security Update

Comments

Loading comments...
Back to Home