Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Local authenticated user (PR:L, AV:L) plants a driver file with no user interaction; vulnerable driver loads it as SYSTEM giving full C/I/A on the host with no scope change.
Primary rating from Vendor (jpcert).
CVSS VectorVendor: jpcert
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Multiple printer drivers provided by Ricoh Company, Ltd. and KONICA MINOLTA JAPAN, INC. contain a privilege escalation vulnerability. If this vulnerability is exploited, an attacker who can log in to a computer running an affected printer driver could elevate privileges by using a specially crafted driver.
AnalysisAI
Local privilege escalation in multiple Ricoh and Konica Minolta printer drivers on Windows hosts allows an authenticated low-privileged user to gain higher privileges by supplying a specially crafted driver component. The flaw is rooted in CWE-427 (Uncontrolled Search Path Element), and at time of analysis no public exploit identified at time of analysis. CVSS 4.0 of 8.5 reflects high confidentiality, integrity, and availability impact despite requiring local access.
Technical ContextAI
Printer drivers on Windows typically execute portions of their installation and update logic in the context of the print spooler service or other SYSTEM-level processes. CWE-427 (Uncontrolled Search Path Element) covers cases where a privileged process loads a DLL, executable, or driver component from a directory writable by a low-privileged user, or follows a search order that can be hijacked. In this case, both Ricoh and Konica Minolta ship multiple printer driver packages (per the CPE strings cpe:2.3:a:ricoh_company,_ltd.:multiple_printer_drivers and cpe:2.3:a:konica_minolta_japan,_inc.:multiple_printer_drivers) that resolve a driver-related path insecurely, allowing a planted 'crafted driver' to be loaded with elevated rights during driver install, update, or print job processing.
RemediationAI
Patch available per vendor advisory: update each affected Ricoh and Konica Minolta printer driver to the fixed build listed in https://www.ricoh.com/products/security/vulnerabilities/vul?id=ricoh-2025-000002 and https://www.konicaminolta.jp/business/support/important/260615_01_01.html, cross-checked against the JVN coordination notice at https://jvn.jp/en/jp/JVN55319858/. Until patched drivers are deployed, restrict standard users from writing to driver installation, spooler, and per-printer driver directories (lock down ACLs on %WINDIR%\System32\spool\drivers and any vendor-specific 'Driver' folders), disable Point and Print non-administrator driver installation via the Group Policy 'Limits print driver installation to Administrators' setting, and remove unused Ricoh/Konica Minolta print queues from shared endpoints - note that these controls will break self-service driver installs and may require help-desk involvement for legitimate printer setup. Monitor for unexpected DLLs or driver files appearing in driver search paths as a detective control.
Same weakness CWE-427 – Uncontrolled Search Path Element
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36701
GHSA-7c4j-4vwf-c9vr