CVE-2026-32223

MEDIUM

Windows USB Printing Stack (usbprint.sys) Elevation of Privilege Vulnerability

Title source: cna

Exploitation Summary

EIP tracks 2 public exploits for CVE-2026-32223. PoCs published by enki-kr, XZ1r0.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2026-32223, a heap-based buffer overflow in the Windows USB print driver (usbprint.sys). The exploit achieves local privilege escalation (LPE) to SYSTEM by leveraging USB device emulation, pool feng shui, and ghost chunk techniques.

Description

Heap-based buffer overflow in Windows USB Print Driver allows an unauthorized attacker to elevate privileges with a physical attack.

Exploits (2)

nomisec WORKING POC 1 stars

by enki-kr · poc

https://github.com/enki-kr/CVE-2026-32223-USBPrint-Exploit

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2026-32223, a heap-based buffer overflow in the Windows USB print driver (usbprint.sys). The exploit achieves local privilege escalation (LPE) to SYSTEM by leveraging USB device emulation, pool feng shui, and ghost chunk techniques.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Reliable

Target: Windows USB Print Driver (usbprint.sys)

No auth needed

Prerequisites: USB device emulation (e.g., Linux Raw Gadget) · Named Pipe spray for heap layout control

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548 - Abuse Elevation Control Mechanism

devstral-2 · analyzed Apr 27, 2026 Full analysis →

github WORKING POC

by XZ1r0 · pythonpoc

https://github.com/XZ1r0/cve-2026-poc-collection/tree/main/other/CVE-2026-32223-USBPrint-Exploit

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2026-32223, a heap-based buffer overflow in the Windows USB print driver (usbprint.sys). The exploit leverages pool feng shui, ghost chunk techniques, and arbitrary read/write primitives to achieve local privilege escalation (LPE) to SYSTEM.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Reliable

Target: Windows USB Print Driver (usbprint.sys)

No auth needed

Prerequisites: USB device emulation with malformed descriptors (e.g., Linux Raw Gadget) · Windows environment with vulnerable usbprint.sys driver

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548 - Abuse Elevation Control Mechanism

devstral-2 · analyzed May 21, 2026 Full analysis →

References (3)

Core 3

Core References

Vendor Advisory vendor-advisory patch

Windows USB Printing Stack (usbprint.sys) Elevation of Privilege Vulnerability

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32223

Various Sources

https://www.vicarius.io/vsociety/posts/cve-2026-32223-detection-script-heap-based-buffer-overflow-in-windows-usb-print-driver

Various Sources

https://www.vicarius.io/vsociety/posts/cve-2026-32223-mitigation-script-heap-based-buffer-overflow-in-windows-usb-print-driver

Scores

CVSS v3 6.8

EPSS 0.0051

EPSS Percentile 39.3%

Attack Vector PHYSICAL

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-122

Status published

Products (10)

Microsoft/Windows 11 Version 24H2 10.0.26100.0 - 10.0.26100.32690

Microsoft/Windows 11 Version 24H2 10.0.26100.0 - 10.0.26100.8246

Microsoft/Windows 11 Version 25H2 10.0.26200.0 - 10.0.26200.8246

Microsoft/Windows 11 version 26H1 10.0.28000.0 - 10.0.28000.1836

Microsoft/Windows Server 2025 10.0.26100.0 - 10.0.26100.32690

Microsoft/Windows Server 2025 (Server Core installation) 10.0.26100.0 - 10.0.26100.32690

microsoft/windows_11_24h2 < 10.0.26100.8246 (2 CPE variants)

microsoft/windows_11_25h2 < 10.0.26200.8246 (2 CPE variants)

microsoft/windows_11_26h1 < 10.0.28000.1836 (2 CPE variants)

microsoft/windows_server_2025 < 10.0.26100.32690

Published Apr 14, 2026

Tracked Since Apr 14, 2026