Introduction
The Windows Print Spooler continues to be a recurring source of privilege escalation vulnerabilities, and CVE-2026-34342 adds another entry to that list: a race condition in the splwow64.exe process that lets a local attacker climb from low integrity to medium integrity. Patched as part of Microsoft's May 2026 Patch Tuesday alongside 119 other fixes, this vulnerability carries a CVSS 7.0 score from Microsoft and warrants attention on any multi-user Windows deployment where low-privileged code execution is routine.
Technical Information
Root Cause
CVE-2026-34342 falls under CWE-362: concurrent execution using a shared resource with improper synchronization. The vulnerable component is splwow64.exe, the Windows Print Spooler process responsible for brokering 32-bit printer driver operations on 64-bit Windows systems. The flaw originates from unsafe use of shared memory within this process, where concurrent access to a shared resource lacks proper synchronization primitives such as locks or serialized access controls.
Attack Flow
Exploitation follows a local privilege escalation pattern:
- The attacker must first obtain the ability to execute low-privileged code on the target system. This is a prerequisite; remote exploitation is not possible.
- The attacker triggers concurrent operations targeting the vulnerable shared memory region within splwow64.exe.
- By carefully timing these operations, the attacker attempts to win the race condition, corrupting or manipulating the shared state before the legitimate operation completes.
- If the race is won, the attacker escalates from a low integrity level to a medium integrity level, gaining the ability to execute arbitrary code in the context of the current user.
The attack complexity is rated High by Microsoft because the outcome depends on timing conditions that the attacker cannot fully control. This makes reliable exploitation non-trivial, though not impossible for a skilled attacker with local access.
Scoring Variance
Different security organizations have assessed this vulnerability with notably different scores:
| Assessing Organization | Base Score | Severity | Attack Vector | Attack Complexity | Privileges Required |
|---|---|---|---|---|---|
| Microsoft | 7.0 | High | Local | High | Low |
| Tenable | 7.0 | High | Local | High | Low |
| Zero Day Initiative | 4.4 | Medium | Local | Low | Low |
The divergence centers on how impactful a low to medium integrity escalation is considered. Microsoft and Tenable see significant confidentiality, integrity, and availability impacts, while the Zero Day Initiative rates confidentiality impact as none and assigns low integrity and availability impacts. This is a useful reminder that CVSS scores reflect modeling assumptions, and organizations should weigh the score against their own environment when prioritizing.
Patch Information
Microsoft released an official fix for CVE-2026-34342 on May 12, 2026, as part of the May 2026 Patch Tuesday cycle. The remediation level is "Official Fix," meaning a complete vendor solution has been issued. Because Windows Print Spooler is closed source, no source-level diff is publicly available.
The fix is delivered through cumulative security updates across a broad range of affected Windows platforms:
| KB Article | Affected Products | Patched Build |
|---|---|---|
| KB5089548 | Windows 11 Version 26H1 (x64, ARM64) | 10.0.28000.2113 |
| KB5089549 / KB5089466 (Hotpatch) | Windows 11 Version 24H2 and 25H2 (x64, ARM64) | 10.0.26100.8457 / 10.0.26200.8457 |
| KB5087420 | Windows 11 Version 23H2 (x64, ARM64) | 10.0.22631.7079 |
| KB5087544 | Windows 10 Version 22H2 and 21H2 (x64, ARM64, 32-bit) | 10.0.19045.7291 / 10.0.19044.7291 |
| KB5087537 | Windows 10 Version 1607 (x64, 32-bit); Windows Server 2016 | 10.0.14393.9140 |
| KB5087538 | Windows 10 Version 1809 (x64, 32-bit); Windows Server 2019 | 10.0.17763.8755 |
| KB5087539 / KB5087423 (Hotpatch) | Windows Server 2025 | 10.0.26100.32860 |
| KB5087545 / KB5087424 (Hotpatch) | Windows Server 2022 | 10.0.20348.5139 |
| KB5087541 | Windows Server 2022, 23H2 Edition (Server Core) | 10.0.25398.2330 |
| KB5087471 | Windows Server 2012 R2 | 6.3.9600.23181 |
| KB5087470 | Windows Server 2012 | 6.2.9200.26079 |
For several newer platforms (Windows Server 2025, Windows Server 2022, and Windows 11 24H2/25H2), Microsoft provides both a standard cumulative Security Update and a Security Hotpatch Update. Hotpatch updates allow the fix to be applied without a full reboot, which is especially useful for production server environments.
Based on the nature of the root cause (CWE-362), the patch almost certainly introduces proper synchronization primitives (for example, locking mechanisms or serialized access) to the shared resource within the Print Spooler component that was previously being accessed concurrently without adequate protection. This is consistent with credited researcher Marcin Wiązowski's other Print Spooler and GDI race condition findings disclosed through the Zero Day Initiative, where fixes typically involved adding object locking to prevent the race window.
All listed updates carry a Customer Action Required status. Administrators should verify their Windows Update settings or manually download the appropriate KB from the Microsoft Update Catalog.
Affected Systems and Versions
The vulnerability affects a wide range of Windows client and server platforms. Based on the KB articles issued by Microsoft, the following systems are confirmed affected:
Windows Client:
- Windows 11 Version 26H1 (x64, ARM64), builds prior to 10.0.28000.2113
- Windows 11 Version 24H2 and 25H2 (x64, ARM64), builds prior to 10.0.26100.8457 / 10.0.26200.8457
- Windows 11 Version 23H2 (x64, ARM64), builds prior to 10.0.22631.7079
- Windows 10 Version 22H2 and 21H2 (x64, ARM64, 32-bit), builds prior to 10.0.19045.7291 / 10.0.19044.7291
- Windows 10 Version 1809 (x64, 32-bit), builds prior to 10.0.17763.8755
- Windows 10 Version 1607 (x64, 32-bit), builds prior to 10.0.14393.9140
Windows Server:
- Windows Server 2025, builds prior to 10.0.26100.32860
- Windows Server 2022, builds prior to 10.0.20348.5139
- Windows Server 2022, 23H2 Edition (Server Core), builds prior to 10.0.25398.2330
- Windows Server 2019, builds prior to 10.0.17763.8755
- Windows Server 2016, builds prior to 10.0.14393.9140
- Windows Server 2012 R2, builds prior to 6.3.9600.23181
- Windows Server 2012, builds prior to 6.2.9200.26079
Vendor Security History
The Windows Print Spooler has a well-documented history of security vulnerabilities, most notably the PrintNightmare family of flaws in 2021. Microsoft's security response process is mature, with a predictable monthly Patch Tuesday cadence. The May 2026 cycle addressed 120 vulnerabilities simultaneously with no zero days disclosed, demonstrating the vendor's capacity to manage large volumes of security defects across its product portfolio.
The coordinated disclosure timeline for CVE-2026-34342 is worth noting: the vulnerability was reported to Microsoft on January 12, 2026, and publicly released alongside the patch on May 12, 2026, a four-month turnaround. The credited researcher, Marcin Wiązowski, has a track record of disclosing Print Spooler and GDI race condition vulnerabilities through the Zero Day Initiative.
References
- Microsoft Security Update Guide: CVE-2026-34342
- ZDI-26-310: Zero Day Initiative Advisory
- CVE-2026-34342 on Tenable
- BleepingComputer: Microsoft May 2026 Patch Tuesday fixes 120 flaws, no zero days
- Desktop Operating System Market Share Worldwide (Statcounter)
- Desktop Windows Version Market Share Worldwide (Statcounter)
- Microsoft Update Catalog



