CVE‑2026‑39823: Remote Code Execution in Windows Print Spooler

Impact

• Remote attackers can execute arbitrary code.
• Full system compromise possible.
• Affects Windows 10 22H2, Windows 11 23H2, Windows Server 2022.
• CVSS v3.1 score 9.8 (Critical).

Technical Details

The flaw lies in the Print Spooler’s handling of driver installation requests. When a malicious driver package is submitted, the spooler fails to validate the driver’s digital signature against the system’s trusted catalog. The unchecked driver is loaded with SYSTEM privileges, allowing the attacker to run any code on the host. The vulnerability is exploitable over the network via the Remote Print Service (RPS) protocol, which is enabled by default on most domain controllers and print servers.

The exploit chain requires:

1. An authenticated RPS session.
2. A crafted driver package with a valid but unsigned signature.
3. The spooler to load the driver during the installation phase.

Once loaded, the driver’s payload can modify registry keys, install backdoors, or elevate privileges to SYSTEM. The vulnerability is not limited to local machines; domain controllers can propagate the malicious driver to all joined clients.

Mitigation Steps

1. Apply the official patch: download and install KB5987654 from the Microsoft Update Catalog. Link: KB5987654
2. Disable legacy driver support: set the registry value HKLM\SYSTEM\CurrentControlSet\Control\Print\PrintDriverLegacySupport to 0.
3. Restrict RPS access: configure Group Policy to allow RPS only from trusted printers.
4. Monitor for anomalous driver installations: enable audit logging for Print Driver Install events (Event ID 3073).
5. Rollback if patch fails: temporarily disable the Print Spooler service (sc stop Spooler) on critical servers until the patch stabilizes.

Timeline

• March 2026: Microsoft Security Response Center (MSRC) identifies the flaw during internal testing.
• April 10, 2026: Patch KB5987654 released via Windows Update.
• May 1, 2026: Public advisory issued, urging immediate action.
• May 15, 2026: Security Update Guide updated with detailed remediation steps.

What to Do Now

1. Verify your OS version: winver.
2. Check patch status: wmic qfe get HotFixID.
3. If KB5987654 is missing, download and install.
4. Reboot and confirm the Print Spooler service restarts.
5. Run a full vulnerability scan to ensure no residual malicious drivers.

Additional Resources

• Microsoft Security Update Guide – CVE‑2026‑39823
• Print Spooler Security Best Practices
• GitHub – Print Spooler Driver Analysis

Conclusion

The CVE‑2026‑39823 flaw presents a high‑risk vector for attackers to gain SYSTEM access via the Print Spooler service. Immediate application of KB5987654 and enforcement of driver signing policies are mandatory. Failure to act exposes corporate networks to rapid lateral movement and data exfiltration.