Microsoft patched an elevation-of-privilege flaw in the Windows USB Print Driver on July 14, 2026, shipping the fix inside this month’s cumulative security updates. The vulnerability, tracked as CVE-2026-54991, lets an attacker who already has a foothold on a machine escalate to higher privileges – potentially SYSTEM-level control – by exploiting the way Windows handles locally attached USB printers. Every supported Windows client and server release received the patch as part of Patch Tuesday, and administrators should deploy it without delay.
The public advisory published by the Microsoft Security Response Center (MSRC) confirms that the Windows USB Print Driver – the inbox driver stack that loads when you plug in a compatible printer over USB – contains a privilege-escalation bug. Microsoft hasn’t said how the vulnerability is triggered, whether it requires a malicious USB device, a rigged print job, or a compromised application interacting with the print spooler. But because the flaw sits in a core Windows driver that’s present on every installation, the fix deserves attention well beyond dedicated print servers.
What Microsoft actually patched
CVE-2026-54991 is an elevation-of-privilege (EoP) vulnerability. That labels it local: an attacker needs code running on the target machine already, perhaps through a phishing download, stolen credentials, or a browser exploit. From there, the USB print driver flaw can break the barrier that keeps a standard user from becoming an administrator or SYSTEM – the highest-level Windows account. Once armed with those rights, an intruder can disable security tools, steal data, install persistent backdoors, or move laterally across a network.
The component in question is the inbox Windows USB Print Driver, primarily usbprint.sys and its supporting configuration. When you connect a USB printer, Windows enumerates the device, selects the appropriate driver, and loads this stack – even if you later install a third-party driver from the printer manufacturer. That makes the vulnerability relevant on any PC that supports USB printing, which is virtually every Windows machine.
For Windows 11 version 23H2, the fix arrives via KB5099414, which updates the OS to build 22631.7376. Other supported editions – Windows 10, Windows 11 24H2, and all still-serviced Windows Server versions – received their own cumulative packages. Microsoft didn’t publish a separate out-of-band patch or an alternative mitigation; the standard July 2026 update rollup is the remedy.
What this means for you
The practical impact splits along how you use Windows, but the advice converges on a single action: install the July 2026 cumulative update.
Home users and small offices
If you rely on Windows Update to keep your PC current, you’re likely protected once the update installs and you restart. Open Settings → Windows Update, check for updates, and verify that KB5099414 (or the equivalent for your version) appears in your update history. If you have a USB printer – a desktop inkjet, a label printer, a multifunction device – don’t delay. The vulnerability isn’t being actively exploited as far as we know, but everyday users often reuse the same machine for work, banking, and personal browsing, making any privilege-escalation flaw a serious multiplier if malware lands on the system through a different route.
IT administrators and managed environments
Your deployment rings matter. Workstations with locally attached USB printers, point-of-sale terminals, shipping stations, medical carts, and reception kiosks often sit outside standard laptop patching cadences. These machines frequently have constrained interface access but still run the vulnerable inbox driver. After pushing the July update through Windows Update for Business, WSUS, or Microsoft Intune, verify compliance: check build numbers (for Windows 11 23H2, look for 22631.7376 or higher) and confirm that the machine has rebooted. A common failure mode is a pushed update that sits pending restart for weeks because a critical application keeps the system awake.
Test business-critical printing shortly after deployment. While the vulnerability fix sits deep in the driver stack, it’s worth confirming that receipt printers, label makers, and specialized printing workflows still function. If an older vendor-supplied driver misbehaves, the immediate answer is not to remove the security update – contact the printer vendor for a compatible driver, or switch to the Microsoft IPP class driver if your hardware supports it.
Small and midsize businesses that lack dedicated patch management can use the Microsoft Update Catalog to manually download the correct .msu file for each Windows release, then deploy via script or Group Policy. Don’t rely on the “Check for updates” button alone; some machines may have stalled update services or network restrictions.
How we got here: Windows printing’s long shadow
Windows printing has been a security minefield for decades. The print spooler runs with SYSTEM privileges, loads kernel-mode drivers, and communicates with hardware over USB, network, and wireless protocols – all in the name of making a document appear on paper. Exploits that chain through the print stack have appeared regularly: the 2010 Stuxnet attack used a print spooler flaw to spread; 2021’s PrintNightmare saga forced Microsoft into emergency patches and architectural changes; and uncounted lesser CVEs have plagued printer drivers from both Microsoft and third parties.
CVE-2026-54991 isn’t another PrintNightmare. That attack vector allowed remote code execution via the print spooler from an unauthenticated source. The new flaw is local-only, requires an attacker to already run code on the target, and isn’t known to be actively exploited at release. But its presence in an inbox driver that ships with every Windows install – and its potential to hand intruders the keys to the kingdom once they’ve wormed inside – keeps it on the radar for defenders.
Microsoft’s long-term strategy for printing security tilts away from the spaghetti of legacy drivers. Windows now prefers the Microsoft IPP inbox class driver over third-party packages, including over USB when the printer supports IPP-over-USB. The company plans to eventually retire the v3 and v4 driver model in favor of IPP-based printing, which avoids kernel-mode code and reduces attack surface. But that transition won’t happen overnight, and years of USB-only printers – receipt printers, label makers, industrial printers – will remain in service. Inboxes like usbprint.sys will be around for a long time.
Part of the confusion around CVE-2026-54991 stems from the confidence metric that the MSRC advisory mentions. The advisory itself points to a confidence metric that measures how certain the industry is that the vulnerability exists and how credible the technical details are – but Microsoft didn’t assign a specific value to this CVE in the advisory text. Confidence is not a CVSS score; it doesn’t tell you whether exploits are public, how difficult the attack is, or what privileges the attacker gains. For risk prioritization, the fields that matter are the CVSS base score (which Microsoft hasn’t yet published for this CVE), the exploitation assessment (currently likely “not exploited”), and the affected product table. Don’t mistake a confidence label for a severity rating.
What to do now
-
Install the July 2026 cumulative update. On a single PC, open Windows Update, check for updates, and install all pending patches. Reboot. On managed fleets, push the update through your normal patch management tool. Do not skip machines because they lack USB printers; the vulnerable driver is still present.
-
Verify the update took hold. For Windows 11 23H2, the build number post-patch should be 22631.7376. Open the “About your PC” page or run
winverto confirm. On servers, check the OS build against the July 2026 update documentation. If a device shows an older build, investigate the update history; the cumulative update may have failed to install or the machine may need a reboot. -
Test printing. Connect a USB printer, send a test page, and run through a typical print job from your line-of-business application. If printing breaks – especially with a specialty printer like a label or receipt printer – contact the printer vendor for an updated driver. In the meantime, you can often switch to the Microsoft IPP class driver by going to Settings → Bluetooth & devices → Printers & scanners, selecting the device, and changing the driver. This does not remove the security fix; it just changes the driver that applications talk to.
-
Audit your environment for USB printers. Use device management or inventory tools to find endpoints with locally connected USB printing devices. These are the machines where an attacker who breaches a user account could most readily find a privilege-escalation path. Prioritise these devices in your compliance checks.
-
Watch the advisory for updates. Microsoft’s Security Update Guide for CVE-2026-54991 may be revised as more information becomes available. If the company raises the exploitation assessment or publishes a CVSS vector, reassess your urgency. Follow the MSRC website or use the REST API to monitor changes.
-
If you’re on an unsupported Windows version, isolate. End-of-life Windows 7, Windows 8.1, and older Windows 10 releases won’t receive the July 2026 update. If you must keep such systems running, restrict physical and network access as tightly as possible, disable unnecessary user accounts, and consider removing USB printer hardware if it isn’t essential. But recognize that no amount of isolation can repair the vulnerable component; the true fix is migrating to a supported OS.
What comes next
CVE-2026-54991 lands at a time when the security community is increasingly focused on the soft underbelly of operating system driver stacks. Privilege-escalation bugs in trusted modules like USB drivers are golden tickets for post-exploitation toolkits. While Microsoft hasn’t seen active attacks yet, the details that eventually emerge from reverse engineering the patch could change that equation quickly.
For now, this is a straightforward patch story. Install the July 2026 update, keep your print workflows running, and maintain an eye on any follow-on guidance. The broader shift toward IPP printing is a welcome architectural cleanup, but it won’t eliminate the need to patch today’s reality: a world where USB printers still do the heavy lifting.