Microsoft’s July 14, 2026 security updates patch CVE-2026-57085, a Windows Print Spooler information-disclosure flaw that can let a locally authenticated attacker read data from memory. The bug is not a repeat of PrintNightmare: it is rated CVSS 5.5 (Medium), requires local access and low privileges, and does not provide code execution, elevation of privilege, or a remote attack path on its own.
Microsoft’s Security Update Guide identifies the vulnerability as an out-of-bounds read in Windows Print Spooler Components. The National Vulnerability Database records it as CWE-125, the standard classification for a read beyond the intended bounds of a memory buffer. In practical terms, an attacker who can already run code as an authorized user could potentially coax the spooler into disclosing information that should have remained inaccessible.
The immediate action is straightforward: deploy the July 2026 cumulative updates to affected Windows clients and servers, with particular urgency on shared systems and print infrastructure where local user access is common.
Windows Print Spooler remains a high-value target because it is broadly deployed, processes complex printer and driver data, and frequently runs on systems that serve many users. That history understandably makes any newly disclosed spooler vulnerability alarming. But the technical boundaries here matter.
Microsoft’s CVSS vector specifies local attack access, low attack complexity, low required privileges, no user interaction, unchanged scope, and high confidentiality impact. The absence of an integrity or availability impact means the disclosed issue is about reading protected information, not changing files, crashing a device, or directly taking control of Windows.
That does not make it harmless. Memory disclosure vulnerabilities can expose fragments of sensitive material, including application data, configuration details, or values that make later attacks easier. The precise contents recoverable through CVE-2026-57085 have not been publicly described, and Microsoft has not published proof-of-concept code or detailed exploit mechanics.
That restraint limits what defenders can conclude about exploit reliability. It also means administrators should not turn an advisory about an out-of-bounds read into speculation about remote spooler compromise. This is a confirmed local disclosure vulnerability, not a documented remote-code-execution incident.
The “none” designation means CISA had no indication of known exploitation at the time the record was assessed on July 14. “No” for automation suggests the issue is not currently considered a broadly scalable attack primitive. “Partial” reflects the confidentiality-only nature of the documented impact.
For enterprise risk teams, that puts CVE-2026-57085 below vulnerabilities that permit unauthenticated network access, SYSTEM-level privilege escalation, or known active exploitation. It should still be remediated in the normal expedited security-update cycle—especially on multi-user servers, virtual desktop hosts, kiosk fleets, and print servers—but it does not, based on public information available now, demand the emergency response posture associated with PrintNightmare in 2021.
For commonly deployed platforms, the relevant July cumulative updates and patched build levels are:
The Microsoft-supplied affected ranges also include Windows Server 2012 and Windows Server 2012 R2, including Server Core. Those systems require their applicable July security servicing packages and, where relevant, valid Extended Security Updates entitlement.
There is one detail administrators should treat carefully: the public affected-product metadata describes Windows 11 25H2 using a baseline relationship that does not neatly match its separately reported 26200 build numbering. That appears to reflect shared servicing lineage with Windows 11 24H2 rather than a reason to withhold KB5101650. The practical remediation target for 25H2 is the July cumulative update and build 26200.8875.
On individual machines,
Microsoft’s July release also includes unrelated platform changes and fixes, so change-control testing remains appropriate. The Server 2022 release notes, for example, note a security hardening change affecting applications that use sockets over unregistered third-party TDI transports. That is not tied to CVE-2026-57085, but it is a reminder that the right test plan is the full cumulative update—not an isolated print-spooler patch that does not exist.
Still, the vulnerability reinforces a long-standing hardening decision: systems with no printing role generally do not need Print Spooler running. Domain controllers, identity infrastructure, jump servers, and dedicated application servers should be reviewed for unnecessary spooler use. Reducing service exposure cannot replace timely patching, but it narrows the available attack surface and prevents a printer-related weakness from becoming relevant on systems that never needed printing in the first place.
For endpoints and print servers that must run the service, focus on the basics: limit local interactive access, keep printer drivers and queues under controlled administrative management, separate general user workloads from sensitive server roles, and maintain monitoring for unexpected spooler failures or driver-installation activity.
CVE-2026-57085 is a contained but real Windows security issue: confirmed by Microsoft, locally exploitable, and capable of disclosing sensitive information. The July 14 cumulative updates close it; the next operational question is whether every device that runs the spooler has actually reached its patched build.
Microsoft’s Security Update Guide identifies the vulnerability as an out-of-bounds read in Windows Print Spooler Components. The National Vulnerability Database records it as CWE-125, the standard classification for a read beyond the intended bounds of a memory buffer. In practical terms, an attacker who can already run code as an authorized user could potentially coax the spooler into disclosing information that should have remained inaccessible.
The immediate action is straightforward: deploy the July 2026 cumulative updates to affected Windows clients and servers, with particular urgency on shared systems and print infrastructure where local user access is common.
A Local Bug With a Familiar Windows Service Name
Windows Print Spooler remains a high-value target because it is broadly deployed, processes complex printer and driver data, and frequently runs on systems that serve many users. That history understandably makes any newly disclosed spooler vulnerability alarming. But the technical boundaries here matter.Microsoft’s CVSS vector specifies local attack access, low attack complexity, low required privileges, no user interaction, unchanged scope, and high confidentiality impact. The absence of an integrity or availability impact means the disclosed issue is about reading protected information, not changing files, crashing a device, or directly taking control of Windows.
That does not make it harmless. Memory disclosure vulnerabilities can expose fragments of sensitive material, including application data, configuration details, or values that make later attacks easier. The precise contents recoverable through CVE-2026-57085 have not been publicly described, and Microsoft has not published proof-of-concept code or detailed exploit mechanics.
That restraint limits what defenders can conclude about exploit reliability. It also means administrators should not turn an advisory about an out-of-bounds read into speculation about remote spooler compromise. This is a confirmed local disclosure vulnerability, not a documented remote-code-execution incident.
CISA’s Triage Data Does Not Point to Active Exploitation
The NVD entry, sourced from Microsoft’s CVE record, includes CISA’s SSVC assessment: exploitation is listed as “none,” automation as “no,” and technical impact as “partial.” Those fields are operational prioritization inputs, not guarantees that no one will ever weaponize the flaw, but they are useful context for patch managers handling a crowded July release.The “none” designation means CISA had no indication of known exploitation at the time the record was assessed on July 14. “No” for automation suggests the issue is not currently considered a broadly scalable attack primitive. “Partial” reflects the confidentiality-only nature of the documented impact.
For enterprise risk teams, that puts CVE-2026-57085 below vulnerabilities that permit unauthenticated network access, SYSTEM-level privilege escalation, or known active exploitation. It should still be remediated in the normal expedited security-update cycle—especially on multi-user servers, virtual desktop hosts, kiosk fleets, and print servers—but it does not, based on public information available now, demand the emergency response posture associated with PrintNightmare in 2021.
July’s Cumulative Updates Carry the Fix
Microsoft published CVE-2026-57085 on July 14 as part of its monthly security release. The affected-version data supplied by Microsoft covers current Windows releases as well as several long-serviced client and server branches, including Server Core installations.For commonly deployed platforms, the relevant July cumulative updates and patched build levels are:
| Platform | July 14, 2026 update | Patched build |
|---|---|---|
| Windows 11 24H2 | KB5101650 | 26100.8875 |
| Windows 11 25H2 | KB5101650 | 26200.8875 |
| Windows 11 26H1 | KB5101649 | 28000.2525 |
| Windows 10 21H2 / 22H2 | KB5099539 | 19044.7548 / 19045.7548 |
| Windows Server 2016 | KB5099535 | 14393.9339 |
| Windows Server 2019 | KB5099538 | 17763.9020 |
| Windows Server 2022 | KB5099540 | 20348.5386 |
| Windows Server 2025 | KB5099536 | 26100.33158 |
There is one detail administrators should treat carefully: the public affected-product metadata describes Windows 11 25H2 using a baseline relationship that does not neatly match its separately reported 26200 build numbering. That appears to reflect shared servicing lineage with Windows 11 24H2 rather than a reason to withhold KB5101650. The practical remediation target for 25H2 is the July cumulative update and build 26200.8875.
Patch Verification Needs More Than a Green Windows Update Screen
For managed fleets, confirm both deployment status and resulting OS build rather than assuming a successfully offered update reached every machine. Windows Update for Business, WSUS, Microsoft Configuration Manager, and Intune reporting can identify devices that have not received the July cumulative update; endpoint inventory should then verify the relevant build threshold.On individual machines,
winver supplies the quickest build check. Administrators can also use PowerShell or their endpoint-management inventory to query installed hotfixes and build numbers at scale. The build check is especially useful on systems that have deferred quality updates, are subject to safeguard holds, or use offline servicing.Microsoft’s July release also includes unrelated platform changes and fixes, so change-control testing remains appropriate. The Server 2022 release notes, for example, note a security hardening change affecting applications that use sockets over unregistered third-party TDI transports. That is not tied to CVE-2026-57085, but it is a reminder that the right test plan is the full cumulative update—not an isolated print-spooler patch that does not exist.
Reducing Print Spooler Exposure Is Still Worth Doing
Patching is the fix for CVE-2026-57085. Disabling the Print Spooler service is not Microsoft’s designated mitigation for this specific advisory, and organizations should not disrupt necessary printing merely because the component appears in a CVE title.Still, the vulnerability reinforces a long-standing hardening decision: systems with no printing role generally do not need Print Spooler running. Domain controllers, identity infrastructure, jump servers, and dedicated application servers should be reviewed for unnecessary spooler use. Reducing service exposure cannot replace timely patching, but it narrows the available attack surface and prevents a printer-related weakness from becoming relevant on systems that never needed printing in the first place.
For endpoints and print servers that must run the service, focus on the basics: limit local interactive access, keep printer drivers and queues under controlled administrative management, separate general user workloads from sensitive server roles, and maintain monitoring for unexpected spooler failures or driver-installation activity.
CVE-2026-57085 is a contained but real Windows security issue: confirmed by Microsoft, locally exploitable, and capable of disclosing sensitive information. The July 14 cumulative updates close it; the next operational question is whether every device that runs the spooler has actually reached its patched build.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com
- Official source: support.microsoft.com
MS16-087: Security update for Windows print spooler components: July 12, 2016 | Microsoft Support
Resolves a vulnerability in Windows that could allow remote code execution if an attacker is able to execute a man-in-the-middle (MiTM) attack on a workstation or print server, or set up a rogue print server on a target network.support.microsoft.com - Official source: microsoft.com
- Related coverage: aha.org