Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
High

Windows Print Spooler Use-After-Free Remote Code Execution

IdentifiersCVE-2026-23669CWE-416· Use After Free

CVE-2026-23669 is a use-after-free vulnerability in Windows Print Spooler components. The available reporting describes it as an authenticated remote code execution flaw in the Windows print queue / Print Spooler service, with behavior compared to the 2021 PrintNightmare class of issues. Exploitation is reported to be possible when an authorized or authenticated attacker sends specially crafted network messages or network traffic to a system running the Print Spooler service, triggering memory corruption and allowing injection and execution of malicious code. No user interaction is required based on the provided content.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can result in remote code execution on the target Windows system hosting the Print Spooler service. Given the affected component and comparisons to prior Print Spooler exploitation, this could enable full compromise of the target host in the security context of the vulnerable service, supporting follow-on actions such as persistence, lateral movement, and broader environment compromise. The provided content does not state active in-the-wild exploitation at the time of reporting.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by disabling the Print Spooler service on systems that do not require printing functionality, especially high-value servers and domain-adjacent systems, and restrict network access to hosts running Print Spooler so that only trusted administrative or print-management paths can reach the service. Minimize the number of systems with the service enabled and monitor for anomalous spooler-related network activity. The provided content does not include official Microsoft workaround details beyond patching.

Remediation

Patch, then assume compromise.

Apply Microsoft's March 2026 security updates that address CVE-2026-23669 on affected Windows 10, Windows 11, and Windows Server systems. Prioritize patching systems where the Print Spooler service is enabled and reachable over the network, as multiple sources in the provided content specifically recommend rapid deployment of the fix.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
Microsoft CorporationWindowsoperating_system
Microsoft CorporationWindows 10 1607operating_system
Microsoft CorporationWindows 10 1809operating_system
Microsoft CorporationWindows 10 21h2operating_system
Microsoft CorporationWindows 10 22h2operating_system
Microsoft CorporationWindows 11 23h2operating_system
Microsoft CorporationWindows 11 24h2operating_system
Microsoft CorporationWindows 11 25h2operating_system
Microsoft CorporationWindows 11 26h1operating_system
Microsoft CorporationWindows Print Spoolerapplication
Microsoft CorporationWindows Server 2012operating_system
Microsoft CorporationWindows Server 2012 R2operating_system
Microsoft CorporationWindows Server 2016operating_system
Microsoft CorporationWindows Server 2019operating_system
Microsoft CorporationWindows Server 2022operating_system
Microsoft CorporationWindows Server 2022 23h2operating_system
Microsoft CorporationWindows Server 2025operating_system
Microsoft CorporationWindows Server 23h2operating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

8 SOURCESView more in app
outpost24 blogNews
Mar 11, 2026
Microsoft Patch Tuesday - March 2026

A Windows Print Spooler remote code execution vulnerability where an authenticated attacker can send specially crafted network traffic to trigger memory corruption and potentially execute code on the target system.

Read more
help net securityNews
Mar 11, 2026
Microsoft patches 80+ vulnerabilities, six flagged as "more likely" to be exploited - Help Net Security

An authenticated remote code execution vulnerability in the Windows Print Spooler service.

Read more
pcworldNews
Mar 11, 2026
Microsoft's March 2026 update fixes 80+ security vulnerabilities | PCWorld

A remote code execution vulnerability in the Windows print queue/spooler-like component, similar in behavior to PrintNightmare, allowing network-based code execution by a privileged attacker without user interaction.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity4

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-23669
NVD
nvd.nist.gov/vuln/detail/CVE-2026-23669
MITRE CWE · CWE-416
Use After Free
Vendor Advisory
msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23669