PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-32223 Microsoft CVE debrief

A heap-based buffer overflow vulnerability in the Windows USB Print Driver allows privilege escalation via physical access. The flaw, tracked as CVE-2026-32223, was published on April 14, 2026, and last modified on May 26, 2026. Microsoft has assigned a CVSS 3.1 score of 6.8 (Medium severity), with the attack vector requiring physical access to the target system. The vulnerability affects multiple Windows 11 versions (24H2, 25H2, 26H1) on both ARM64 and x64 architectures, as well as Windows Server 2025. Specific build numbers prior to 10.0.26100.8246 (24H2), 10.0.26200.8246 (25H2), 10.0.28000.1836 (26H1), and 10.0.26100.32690 (Server 2025) are vulnerable. The weakness is categorized as CWE-122 (Heap-based Buffer Overflow). No known exploitation in ransomware campaigns has been documented, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.

Vendor
Microsoft
Product
Windows 11 Version 24H2
CVSS
MEDIUM 6.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-14
Original CVE updated
2026-05-26
Advisory published
2026-04-14
Advisory updated
2026-05-26

Who should care

Organizations with Windows 11 workstations in environments where physical security may be compromised, such as retail kiosks, healthcare patient areas, educational computer labs, conference rooms, and shared workspaces. Security teams responsible for endpoint hardening and privilege escalation prevention. IT administrators managing Windows Server 2025 deployments with USB device access.

Technical summary

The vulnerability exists in the Windows USB Print Driver, a kernel-mode component responsible for handling USB printer device communications. A heap-based buffer overflow (CWE-122) can be triggered when processing malformed data from a USB-connected device. Successful exploitation allows an attacker with physical access to escalate privileges on the affected system. The attack complexity is low, and no user interaction is required beyond the physical connection of a malicious USB device. The vulnerability does not cross security boundaries (scope unchanged) but provides high impact to confidentiality, integrity, and availability of the affected system.

Defensive priority

medium

Recommended defensive actions

  • Apply security updates from Microsoft to address the heap-based buffer overflow in the Windows USB Print Driver. Prioritize patching systems in environments where physical security controls may be insufficient, such as k
  • Review and restrict physical access to systems running affected Windows versions, particularly workstations in public or semi-public areas, shared office spaces, and environments with high visitor traffic.
  • Monitor for anomalous privilege escalation activities on systems where immediate patching is not feasible, focusing on unexpected process elevation and driver loading events.
  • Validate that endpoint protection solutions are configured to detect and block exploitation attempts targeting kernel-mode driver vulnerabilities, particularly those involving USB device interactions.

Evidence notes

The vulnerability requires physical access (AV:P), which limits widespread exploitation but does not eliminate risk in environments where attackers may gain brief physical access to unattended workstations. The heap overflow in a kernel-mode driver (USB Print Driver) provides a path to elevated privileges.

Official resources

Microsoft disclosed this vulnerability through their Security Response Center. The issue was modified in late May 2026, potentially indicating updated guidance or expanded affected product information.