EIP-2026-117533

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-117533. PoCs published by Google Security Research.

AI-analyzed exploit summary This exploit leverages a TOCTOU (Time-of-Check to Time-of-Use) vulnerability in the Windows XPS Print Spooler to escape sandbox restrictions. It abuses the spooler's token elevation behavior and a symlink attack via NtImpersonateAnonymousToken to write arbitrary files outside the sandbox, achieving local privilege escalation.

Description

Microsoft Windows - Local XPS Print Spooler Sandbox Escape

Exploits (1)

exploitdb WORKING POC VERIFIED

by Google Security Research · textlocalwindows

https://www.exploit-db.com/exploits/43465

View Code ZIP pw:eip

This exploit leverages a TOCTOU (Time-of-Check to Time-of-Use) vulnerability in the Windows XPS Print Spooler to escape sandbox restrictions. It abuses the spooler's token elevation behavior and a symlink attack via NtImpersonateAnonymousToken to write arbitrary files outside the sandbox, achieving local privilege escalation.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Reliable

Target: Windows 10 1703 and 1709 (XPS Print Spooler)

Auth required

Prerequisites: UAC split-token admin privileges · Access to a sandboxed environment (e.g., Microsoft Edge AC or LPAC) · NtApiDotNet library for compilation

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1134 - Access Token Manipulation T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 19, 2026 Full analysis →

Microsoft Windows - Local XPS Print Spooler Sandbox Escape

Exploitation Summary

Description

Exploits (1)

Details