CVE-2020-0790 in Windows
Summary
by MITRE
<p>A local elevation of privilege vulnerability exists in how splwow64.exe handles certain calls. An attacker who successfully exploited the vulnerability could elevate privileges on an affected system from low-integrity to medium-integrity.</p> <p>This vulnerability by itself does not allow arbitrary code execution; however, it could allow arbitrary code to be run if the attacker uses it in combination with another vulnerability (such as a remote code execution vulnerability or another elevation of privilege vulnerability) that is capable of leveraging the elevated privileges when code execution is attempted.</p> <p>The security update addresses the vulnerability by ensuring splwow64.exe properly handles these calls..</p>
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 02/24/2026
The vulnerability identified as CVE-2020-0790 represents a critical local elevation of privilege flaw within the Windows operating system's splwow64.exe component. This executable serves as a 32-bit helper process for the Windows print subsystem and is responsible for handling various printer-related operations. The vulnerability arises from improper handling of specific function calls within splwow64.exe that are typically initiated by the print spooler service. When an attacker successfully exploits this flaw, they can escalate their privileges from low-integrity to medium-integrity levels, which represents a significant security compromise in the Windows privilege model. This vulnerability aligns with CWE-264, which addresses permissions, privileges, and access controls, specifically focusing on improper privilege management in system components. The attack vector requires local system access and leverages the inherent trust relationships within the Windows print subsystem.
The technical implementation of this vulnerability stems from splwow64.exe's failure to properly validate and process certain inter-process communication calls that occur during printer driver installation or operation. The flaw occurs when the system processes specific printer-related function calls that are meant to be handled with elevated privileges but are instead processed with reduced integrity levels. This improper privilege handling creates a window where malicious code can manipulate the execution flow to gain higher privileges. The vulnerability does not permit direct code execution but serves as a crucial stepping stone for more sophisticated attacks, as it provides the necessary privilege escalation capability that attackers can combine with other vulnerabilities. This characteristic places the vulnerability within the ATT&CK framework's privilege escalation category, specifically under techniques that involve manipulating system components to gain elevated access rights. The flaw is particularly concerning because it operates within the legitimate Windows print subsystem, making it difficult to detect through standard security monitoring.
The operational impact of CVE-2020-0790 extends beyond immediate privilege escalation, as it creates opportunities for attackers to establish persistent access to compromised systems. Once elevated to medium-integrity level, attackers can leverage this position to perform actions such as installing additional malware, modifying system configurations, or accessing sensitive data that would otherwise be protected by standard security controls. The vulnerability's exploitation typically requires a local account with minimal privileges, making it particularly dangerous in environments where multiple users share systems or where default accounts have elevated access rights. Security researchers have noted that this vulnerability can be chained with other exploits, such as those targeting the Windows kernel or other subsystems, to achieve full system compromise. The impact is further amplified by the fact that the print spooler service is enabled by default on most Windows systems, providing attackers with consistent access points for exploitation. Organizations running affected Windows versions must consider this vulnerability as a potential entry point for advanced persistent threats, as it can be used to establish a foothold that persists across system reboots and is difficult to detect through conventional means.
Mitigation strategies for CVE-2020-0790 focus primarily on applying the official Microsoft security update that addresses the privilege handling flaw in splwow64.exe. System administrators should prioritize patch deployment across all affected Windows systems, particularly those running Windows 10 versions 1903 and 1909, which were most vulnerable to this particular exploit. Additional protective measures include implementing least privilege principles for print spooler service accounts, disabling unnecessary printer drivers, and monitoring for unusual print-related processes or activities that might indicate exploitation attempts. Organizations should also consider implementing application whitelisting policies to restrict execution of potentially malicious code through the print subsystem. The vulnerability's remediation aligns with Microsoft's security best practices for privilege management and component hardening, as outlined in their security response documentation. Network segmentation and monitoring solutions should be configured to detect anomalous behavior patterns related to print spooler services, as these can serve as early indicators of exploitation attempts. Given the vulnerability's potential for chaining with other exploits, comprehensive security assessments should be conducted to identify and remediate additional weaknesses in the system's overall security posture.