CVE-2026-58608 – Windows Print Spooler Remote Code Execution Vulnerability

CVSS 8.8 IMPORTANT Critical or Zero Day – Immediate Deployment

“A trusted service that handles everyday printing should never become a gateway for attackers to execute malicious code.”

A race condition and use-after-free vulnerability in the Windows Print Spooler allows an authorized attacker to execute arbitrary code over a network. By exploiting improper synchronization in the Print Spooler service, an attacker with low privileges can corrupt memory and execute malicious code on affected systems. If left unpatched, this vulnerability could provide attackers with an opportunity to compromise critical Windows systems and expand their presence within an enterprise environment.

CVSS Score: 8.8

SEVERITY: Critical

THREAT:
This vulnerability affects the Windows Print Spooler service and results from improper synchronization combined with a use-after-free condition. An attacker with low privileges can remotely interact with the Print Spooler service over a network to trigger memory corruption and execute arbitrary code. Because the Print Spooler is commonly enabled across enterprise environments, successful exploitation could provide an effective entry point for further attacks.

EXPLOITS:
At the time of publication, the vulnerability was not publicly disclosed and no active exploitation had been observed. Microsoft rates exploitation as Less Likely. The CVSS v3.1 temporal metrics indicate Exploit Code Maturity: Unproven, and no confirmed public proof-of-concept exploit code is available.

TECHNICAL SUMMARY:
The vulnerability is caused by a combination of a race condition (CWE-362) and a use-after-free vulnerability (CWE-416) within the Windows Print Spooler service. An attacker can create and close a printer handle while leaving a related notification handle in an invalid state, allowing the service to reference memory that has already been released. This memory corruption can be leveraged to execute arbitrary code. According to the CVSS v3.1 metrics, exploitation requires a network attack vector, low attack complexity, low privileges, no user interaction, and can result in complete compromise of confidentiality, integrity, and availability.

EXPLOITABILITY:
Affected products include Windows 10 versions 1607, 1809, 21H2, and 22H2, Windows 11 versions 24H2, 25H2, and 26H1, Windows Server 2012, 2012 R2, 2016, 2019, 2022, and 2025, including Server Core installations where listed. Exploitation requires network access and low privileges but does not require user interaction.

BUSINESS IMPACT:
A successful attack could allow adversaries to execute malicious code on systems running the Print Spooler service, potentially leading to malware deployment, data theft, service disruption, lateral movement, and broader compromise of enterprise networks. Organizations that rely on print services across workstations and servers should prioritize remediation to reduce exposure.

WORKAROUND:
No mitigations or workarounds are available. Apply the appropriate security update to affected systems as soon as possible.

URGENCY:
This vulnerability should be prioritized because it is rated Critical and enables remote code execution over a network. Although exploitation requires low privileges, the network attack vector, high impact on confidentiality, integrity, and availability, and the widespread deployment of the Print Spooler service make prompt patching essential.

Key Details

Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
CWE Classification
CWE-362
Patch this CVE on all your endpoints in under 5 minutes. First 200 endpoints are free forever, scale as needed.