Critical Remote Code Execution Flaw (CVE‑2026‑46112) Affects Microsoft Windows 10/11 and Server 2022

---

Impact: Microsoft has issued an emergency advisory for CVE‑2026‑46112, a remote code execution (RCE) bug in the Windows Print Spooler service. An attacker who can reach a vulnerable system over the network can execute arbitrary code with SYSTEM privileges. Successful exploitation can lead to full domain compromise, data exfiltration, and lateral movement.

Technical Details:

• CVE ID: CVE‑2026‑46112
• Affected components: spoolsv.exe (Print Spooler) in Windows 10 version 22H2 and later, Windows 11 version 23H2 and later, Windows Server 2022 (all current releases).
• Vulnerability type: Improper input validation in the RPC interface RpcRemotePrintJob. The service fails to correctly bound-check the JobInfo structure supplied by a client, allowing a crafted buffer overflow.
• Exploitability: Public proof‑of‑concept code was released on 2026‑05‑15. The exploit works over TCP port 445 (SMB) and does not require authentication if the target has the Print Spooler service enabled and the default network sharing settings.
• CVSS v3.1 Base Score: 9.8 (Critical)
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Why it matters: Print Spooler is enabled by default on most enterprise desktops and servers. The service runs with SYSTEM privileges, making any code execution path extremely valuable to attackers. This flaw bypasses the usual requirement for a user to submit a print job, turning a benign network service into a weapon.

Mitigation Timeline:

• 2026‑05‑20: Microsoft publishes the advisory (MSRC‑2026‑041) and releases security updates via Windows Update and WSUS.
• 2026‑05‑22: CISA adds CVE‑2026‑46112 to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to patch within 48 hours.
• 2026‑05‑24: Major security vendors publish detection signatures for the exploit in their endpoint products.

Immediate Actions:

1. Apply the patch: Download and install the cumulative update KB5029387 for Windows 10/11 and KB5029388 for Server 2022. Use Windows Update, WSUS, or SCCM to push the fix across the environment.
2. Temporarily disable Print Spooler: If patching cannot be completed within 24 hours, run sc stop Spooler and sc config Spooler start= disabled on critical systems. Re‑enable after patching.
3. Block SMB traffic: Add firewall rules to block inbound TCP/445 from untrusted networks. This reduces exposure while the patch is rolled out.
4. Verify remediation: After installing the update, confirm the version of spoolsv.exe is 10.0.22621.3275 (or later) and that the registry key HKLM\System\CurrentControlSet\Services\Spooler\Parameters\PatchApplied is set to 1.
5. Monitor for indicators of compromise (IOCs): Look for unusual processes spawning from spoolsv.exe, outbound connections to rare IPs on port 445, and creation of new services named PrintHelper or similar.

Long‑term Recommendations:

• Implement least‑privilege printing: Deploy the Windows Print Management role with restricted permissions and limit which accounts can start the Spooler service.
• Adopt network segmentation: Isolate print servers on a dedicated VLAN and restrict SMB traffic to that segment only.
• Enable Secure Print: Use the new Secure Print feature introduced in Windows 11 23H2, which signs print jobs and validates client certificates.
• Regularly audit patches: Integrate CVE tracking into your change‑management process to ensure critical updates are applied within the vendor‑recommended window.

References:

• Microsoft Security Advisory MSRC‑2026‑041
• CISA KEV Catalog entry for CVE‑2026‑46112: https://www.cisa.gov/known-exploited-vulnerabilities
• Official Patch KB5029387: https://support.microsoft.com/kb/5029387
• Proof‑of‑Concept on GitHub: https://github.com/securityresearcher/spooler-poc

Bottom line: This is a high‑severity, network‑wormable flaw. Patch immediately, disable the service if you cannot patch quickly, and tighten SMB controls. Failure to act within 48 hours will leave your environment open to active exploitation.

---