Operation PowerFall chained an Internet Explorer 11 remote-code-execution zero-day with CVE-2020-0986, an arbitrary pointer dereference in the Windows GDI Print/Print Spooler API, to escape the IE sandbox. The exploit manipulated splwow64.exe, a medium-integrity print driver host, through its LPC interface and printer-command handling path. The vulnerable INDEX_DocumentEvent handler in gdi32full.dll allowed attacker-controlled printer command data to influence memory and support arbitrary code execution during the elevation-of-privilege stage. Kaspersky’s analysis focuses on how the flaw was exploited and how Microsoft’s fixes and additional mitigations affected related Print/Spooler bug classes.