CVE-2026-54991 is a Windows USB Print Driver elevation of privilege vulnerability caused by a race condition (concurrent execution using shared resource with improper synchronization). Microsoft rates it at CVSS v3.1 base 7.8 and temporal 6.8. The vector is LOCAL, LOW attack complexity, LOW privileges required, and no user interaction, with unchanged scope and high confidentiality, integrity, and availability impact. Microsoft states exploitation has not been publicly disclosed or observed, exploit code maturity is unproven, and customer action is required. If successfully exploited, an attacker could gain SYSTEM privileges. Enterprise risk is concentrated on systems where a local attacker foothold is possible, rather than network-exposed services. Highlights: - CVSS scores: Base 7.8 - Temporal 6.8 - Exploit status & code maturity: Publicly Disclosed: No; Exploited: No; Exploit Code Maturity: UNPROVEN. - Impact: Elevation of Privilege; confidentiality, integrity, and availability impacts are all HIGH. - Exploitation likelihood: Exploitation Less Likely; vector is LOCAL with LOW attack complexity, LOW privileges required, and NO user interaction. - Severity for enterprise: High severity by CVSS, but practical risk is lower for internet-facing services because the attack is local-only; higher concern exists on endpoints and servers where untrusted local access is possible. - Patch status: available; customer action required. Affected systems: - Windows 11 24H2 - Windows 11 25H2 - Windows 11 26H1 - Windows 11 unspecified - Windows Server 2025