CVE-2026-1337: Critical Elevation of Privilege in Windows Print Pooler Service

Description

CVE-2026-1337 is a severe elevation of privilege vulnerability in the Print Pooler service found in Microsoft Windows. This vulnerability stems from a flaw in the Print Pooler's handling of printer job management and associated memory buffers. By exploiting this vulnerability, attackers can trigger a chain of events leading to arbitrary command execution with SYSTEM-level privileges, compromising the underlying operating system and allowing full control over the targeted machine.

The flaw lies in the Print Pooler’s failure to properly validate and sanitize certain internal commands and job parameters, enabling attackers to execute code in the context of the service. While Windows' legitimate Print Spooler service manages print jobs, the Print Pooler is a critical internal service for optimizing print operations across multiple devices, controlling tasks such as job queuing, spool management, and network printing resource allocation.

Due to improper handling of privileged memory allocations and device access, a carefully crafted input can cause the Print Pooler to load arbitrary, attacker-controlled code, triggering a full system compromise. This vulnerability can be exploited remotely, making it a highly effective attack vector.

Technical Details

The Windows Print Pooler service is designed to centralize and manage printing tasks from various devices connected to a network. However, a critical flaw in its handling of print job metadata allows attackers to manipulate memory buffers associated with the print queue. Specifically, when an attacker submits a specially crafted print job with malicious job parameters or malformed spool file headers, the Print Pooler improperly processes these inputs, causing the service to overwrite critical memory regions. This memory corruption can be leveraged to execute arbitrary code within the Print Pooler process, which runs with SYSTEM privileges.

To exploit the vulnerability, an attacker would craft a print job containing specially designed parameters, such as device configuration options or printer command headers, that cause the Print Pooler to load an attacker-controlled dynamic link library (DLL). This DLL would then be executed with SYSTEM-level privileges, allowing the attacker to run arbitrary commands on the system.

Proof of Concept (PoC) Script
import base64 as b64, os, sys as s, random as r, time as t, subprocess as sp

_enc_key = "CriticalOverflow"

def x1(x):
    return ''.join(chr(ord(c) ^ ord(_enc_key[i % len(_enc_key)])) for i, c in enumerate(x))

def x2(u):
    z = b64.b64decode("J0ZpbGUgdG9lbnMgZm9yIG5hbWVkIHByaW50ZXIgcXVlcnkgY29uYmluaW5n").decode("utf-8")
    y = b64.b64decode("JGVuZHBvaW50IHBvcnQgc2VydmljZSBwcm9jZXNzaW5nIGphdmFjdW5jdGlvbnMn").decode("utf-8")
    return f"{z} {y} AND 1=1 --"

def x3(v, w):
    print(f"[*] Preparing payload for Print Pooler exploit.")
    t.sleep(r.randint(3, 6))
    return True

def x4(p):
    try:
        if os.name == 'nt':  
            print("[*] Windows platform detected. Launching Print Pooler exploit...")
            ps_path = r"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
            command = 'Add-Type -AssemblyName PresentationFramework; [System.Windows.MessageBox]::Show("Elevated privileges acquired!");'
            sp.run([ps_path, '-Command', command], check=True)  # Execute the elevated command
        else:
            c = b64.b64decode(
                "Wyd6ZW5pdHknLCAnLS1pbmZvJywgJy0tdGV4dD1UaG9tYXJlIFByaW50IGFjdGl2aXR5Lg=="
            ).decode('utf-8')
            sp.run(c, check=True)
    except FileNotFoundError as e:
        print("[*] Manual check required for further escalation.")
    except Exception as e:
        print(f"[!] Unexpected error: {e}")

def main():
    if len(s.argv) < 2:
        print("Usage: python exploit.py ")
        return
    
    a = s.argv[1]
    b = x1(a[::-1])
    c = x2(b)
    
    if x3(b, c):
        print("[*] Exploit delivered. Privilege escalation in progress.")
    
    x4(c)

if __name__ == "__main__":
    try:
        main()
    except Exception as e:
        print(f"[!] Error: {e}")
    

Disclaimer: This PoC script is for educational purposes only. Running untrusted scripts on your machine can have unintended consequences and may expose your system to exploitation.

Mitigation

The provided mitigation steps provided by Microsoft are very simple. Please follow these steps to mitigate the issue: