Microsoft has disclosed CVE‑2026‑42009, a remote code execution vulnerability in the Windows Print Spooler service. The flaw scores 9.8 CVSS, impacts all supported Windows 10, Windows 11, and Windows Server 2022 releases, and can be exploited without authentication. Immediate patching via the August 2026 Security Update Guide (KB5029380) is required. Workarounds include disabling the Print Spooler service and enforcing strict firewall rules.
Immediate Impact
A remote code execution (RCE) bug has been found in the Windows Print Spooler service. An attacker who can send a specially crafted print request can execute arbitrary code with SYSTEM privileges. The vulnerability is network‑visible, requires no user interaction, and can spread laterally across an enterprise.
Key facts
- CVE ID: CVE‑2026‑42009
- CVSS v3.1 Base Score: 9.8 (Critical)
- Affected products: Windows 10 (1909‑22H2), Windows 11 (21H2‑23H2), Windows Server 2019, Windows Server 2022, and all Windows Server 2022 LCU releases.
- Attack vector: Network‑based, unauthenticated.
- Impact: Full system compromise, privilege escalation, potential ransomware deployment.
Technical Details
The flaw resides in the RpcAddPrinterDriverEx function, which processes driver packages uploaded via the SMB protocol. Input validation fails when the driver’s INF file contains a malicious CopyFiles directive that points to an arbitrary location on the target system. When the spooler extracts the driver, it writes the malicious DLL to a privileged directory and loads it, executing attacker‑controlled code.
Exploit Flow
- Recon – Attacker discovers a vulnerable host via port 445 scanning.
- Payload delivery – Sends a crafted SMB packet containing a malicious driver package.
- Driver installation – The spooler extracts the driver without proper integrity checks.
- Code execution – Malicious DLL loads under SYSTEM, giving the attacker full control.
The vulnerability bypasses the default PrintNightmare mitigations introduced in 2021 because the exploit does not rely on the AddPrinterDriverEx privilege escalation path; instead, it abuses a missing path‑traversal check in the driver extraction routine.
Mitigation Timeline
| Date | Action | Details |
|---|---|---|
| June 12 2026 | Microsoft advisory published | Initial advisory (MSRC) listed CVE‑2026‑42009 with severity rating. |
| June 15 2026 | Exploit proof‑of‑concept released | Independent researcher posted PoC on GitHub, confirming remote exploitability. |
| July 1 2026 | Advisory update | Added mitigation guidance and clarified affected LCU versions. |
| July 20 2026 | Patch released (KB5029380) | Security update for all supported Windows 10/11 and Server 2022 builds. |
| July 25 2026 | CISA adds to Known Exploited Vulnerabilities (KEV) catalog | Federal agencies required to patch within 15 days. |
Required Action
- Apply the August 2026 security update – Install KB5029380 on all affected machines. The update replaces the vulnerable
spoolsv.exebinary and adds stricter driver validation. - Verify patch status – Run
Get-HotFix -Id KB5029380in PowerShell or check Windows Update history. - Restart the Print Spooler service –
Restart-Service -Name Spoolerto load the patched binaries. - Enable Extended Protection for Authentication (EPA) – Enforce Kerberos signing for SMB traffic to reduce the chance of credential theft.
Immediate Workarounds (If Patch Cannot Be Applied Immediately)
- Disable the Print Spooler service on servers that do not require printing:
Stop-Service -Name Spooler -Force; Set-Service -Name Spooler -StartupType Disabled. - Restrict SMB traffic – Block inbound TCP/445 at the perimeter firewall for non‑printing workloads.
- Apply Group Policy to enforce
Computer Configuration → Administrative Templates → Printers → Allow Print Spooler to accept client connections= Disabled. - Audit installed printer drivers – Use
Get-PrinterDriverto list drivers; remove any that are not from trusted vendors.
These workarounds reduce attack surface but may impact legitimate printing. Re‑enable the service only after the patch is applied.
Broader Context
CVE‑2026‑42009 follows a series of Print Spooler vulnerabilities that have been weaponized in ransomware campaigns. The recurring theme is insufficient validation of driver packages received over the network. Microsoft’s response this time includes a more aggressive driver signing check and a new mitigation flag (PrintDriverValidate) that administrators can enable via registry (HKLM\SYSTEM\CurrentControlSet\Control\Print\PrintDriverValidate = 1).
Enterprises should treat the Print Spooler as a high‑risk component. Regularly audit driver installations, enforce least‑privilege service accounts, and monitor for anomalous SMB traffic using IDS/IPS signatures that flag unusual RpcAddPrinterDriverEx calls.
References
- Official Microsoft advisory: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-42009
- KB5029380 patch details: https://support.microsoft.com/kb/5029380
- CISA KEV entry: https://www.cisa.gov/known-exploited-vulnerabilities-cve-2026-42009
- GitHub PoC (read‑only): https://github.com/security-researcher/PrintSpooler-Exploit
Action now: Deploy KB5029380, verify the service restart, and close port 445 where possible. Delay increases the risk of a full system compromise.
Comments
Please log in or register to join the discussion