ZeroPath at Black Hat USA 2026

Windows Print Spooler CVE-2026-34342: Brief Summary of a Race Condition Privilege Escalation

A brief summary of CVE-2026-34342, a race condition in the Windows Print Spooler's splwow64.exe process that allows local privilege escalation from low to medium integrity. Includes patch details across all affected Windows platforms.

CVE Analysis

6 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-12

Windows Print Spooler CVE-2026-34342: Brief Summary of a Race Condition Privilege Escalation
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

The Windows Print Spooler continues to be a recurring source of privilege escalation vulnerabilities, and CVE-2026-34342 adds another entry to that list: a race condition in the splwow64.exe process that lets a local attacker climb from low integrity to medium integrity. Patched as part of Microsoft's May 2026 Patch Tuesday alongside 119 other fixes, this vulnerability carries a CVSS 7.0 score from Microsoft and warrants attention on any multi-user Windows deployment where low-privileged code execution is routine.

Technical Information

Root Cause

CVE-2026-34342 falls under CWE-362: concurrent execution using a shared resource with improper synchronization. The vulnerable component is splwow64.exe, the Windows Print Spooler process responsible for brokering 32-bit printer driver operations on 64-bit Windows systems. The flaw originates from unsafe use of shared memory within this process, where concurrent access to a shared resource lacks proper synchronization primitives such as locks or serialized access controls.

Attack Flow

Exploitation follows a local privilege escalation pattern:

  1. The attacker must first obtain the ability to execute low-privileged code on the target system. This is a prerequisite; remote exploitation is not possible.
  2. The attacker triggers concurrent operations targeting the vulnerable shared memory region within splwow64.exe.
  3. By carefully timing these operations, the attacker attempts to win the race condition, corrupting or manipulating the shared state before the legitimate operation completes.
  4. If the race is won, the attacker escalates from a low integrity level to a medium integrity level, gaining the ability to execute arbitrary code in the context of the current user.

The attack complexity is rated High by Microsoft because the outcome depends on timing conditions that the attacker cannot fully control. This makes reliable exploitation non-trivial, though not impossible for a skilled attacker with local access.

Scoring Variance

Different security organizations have assessed this vulnerability with notably different scores:

Assessing OrganizationBase ScoreSeverityAttack VectorAttack ComplexityPrivileges Required
Microsoft7.0HighLocalHighLow
Tenable7.0HighLocalHighLow
Zero Day Initiative4.4MediumLocalLowLow

The divergence centers on how impactful a low to medium integrity escalation is considered. Microsoft and Tenable see significant confidentiality, integrity, and availability impacts, while the Zero Day Initiative rates confidentiality impact as none and assigns low integrity and availability impacts. This is a useful reminder that CVSS scores reflect modeling assumptions, and organizations should weigh the score against their own environment when prioritizing.

Patch Information

Microsoft released an official fix for CVE-2026-34342 on May 12, 2026, as part of the May 2026 Patch Tuesday cycle. The remediation level is "Official Fix," meaning a complete vendor solution has been issued. Because Windows Print Spooler is closed source, no source-level diff is publicly available.

The fix is delivered through cumulative security updates across a broad range of affected Windows platforms:

KB ArticleAffected ProductsPatched Build
KB5089548Windows 11 Version 26H1 (x64, ARM64)10.0.28000.2113
KB5089549 / KB5089466 (Hotpatch)Windows 11 Version 24H2 and 25H2 (x64, ARM64)10.0.26100.8457 / 10.0.26200.8457
KB5087420Windows 11 Version 23H2 (x64, ARM64)10.0.22631.7079
KB5087544Windows 10 Version 22H2 and 21H2 (x64, ARM64, 32-bit)10.0.19045.7291 / 10.0.19044.7291
KB5087537Windows 10 Version 1607 (x64, 32-bit); Windows Server 201610.0.14393.9140
KB5087538Windows 10 Version 1809 (x64, 32-bit); Windows Server 201910.0.17763.8755
KB5087539 / KB5087423 (Hotpatch)Windows Server 202510.0.26100.32860
KB5087545 / KB5087424 (Hotpatch)Windows Server 202210.0.20348.5139
KB5087541Windows Server 2022, 23H2 Edition (Server Core)10.0.25398.2330
KB5087471Windows Server 2012 R26.3.9600.23181
KB5087470Windows Server 20126.2.9200.26079

For several newer platforms (Windows Server 2025, Windows Server 2022, and Windows 11 24H2/25H2), Microsoft provides both a standard cumulative Security Update and a Security Hotpatch Update. Hotpatch updates allow the fix to be applied without a full reboot, which is especially useful for production server environments.

Based on the nature of the root cause (CWE-362), the patch almost certainly introduces proper synchronization primitives (for example, locking mechanisms or serialized access) to the shared resource within the Print Spooler component that was previously being accessed concurrently without adequate protection. This is consistent with credited researcher Marcin Wiązowski's other Print Spooler and GDI race condition findings disclosed through the Zero Day Initiative, where fixes typically involved adding object locking to prevent the race window.

All listed updates carry a Customer Action Required status. Administrators should verify their Windows Update settings or manually download the appropriate KB from the Microsoft Update Catalog.

Affected Systems and Versions

The vulnerability affects a wide range of Windows client and server platforms. Based on the KB articles issued by Microsoft, the following systems are confirmed affected:

Windows Client:

  • Windows 11 Version 26H1 (x64, ARM64), builds prior to 10.0.28000.2113
  • Windows 11 Version 24H2 and 25H2 (x64, ARM64), builds prior to 10.0.26100.8457 / 10.0.26200.8457
  • Windows 11 Version 23H2 (x64, ARM64), builds prior to 10.0.22631.7079
  • Windows 10 Version 22H2 and 21H2 (x64, ARM64, 32-bit), builds prior to 10.0.19045.7291 / 10.0.19044.7291
  • Windows 10 Version 1809 (x64, 32-bit), builds prior to 10.0.17763.8755
  • Windows 10 Version 1607 (x64, 32-bit), builds prior to 10.0.14393.9140

Windows Server:

  • Windows Server 2025, builds prior to 10.0.26100.32860
  • Windows Server 2022, builds prior to 10.0.20348.5139
  • Windows Server 2022, 23H2 Edition (Server Core), builds prior to 10.0.25398.2330
  • Windows Server 2019, builds prior to 10.0.17763.8755
  • Windows Server 2016, builds prior to 10.0.14393.9140
  • Windows Server 2012 R2, builds prior to 6.3.9600.23181
  • Windows Server 2012, builds prior to 6.2.9200.26079

Vendor Security History

The Windows Print Spooler has a well-documented history of security vulnerabilities, most notably the PrintNightmare family of flaws in 2021. Microsoft's security response process is mature, with a predictable monthly Patch Tuesday cadence. The May 2026 cycle addressed 120 vulnerabilities simultaneously with no zero days disclosed, demonstrating the vendor's capacity to manage large volumes of security defects across its product portfolio.

The coordinated disclosure timeline for CVE-2026-34342 is worth noting: the vulnerability was reported to Microsoft on January 12, 2026, and publicly released alongside the patch on May 12, 2026, a four-month turnaround. The credited researcher, Marcin Wiązowski, has a track record of disclosing Print Spooler and GDI race condition vulnerabilities through the Zero Day Initiative.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization