CVE-2026-39314
published 2026-04-07CVE-2026-39314: OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, an integer underflow…
PriorityP426medium6.2CVSS 3.1
AVLACLPRNUINSUCNINAH
EPSS
0.15%
4.9th percentile
OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, an integer underflow vulnerability in _ppdCreateFromIPP() (cups/ppd-cache.c) allows any unprivileged local user to crash the cupsd root process by supplying a negative job-password-supported IPP attribute. The bounds check only caps the upper bound, so a negative value passes validation, is cast to size_t (wrapping to ~2^64), and is used as the length argument to memset() on a 33-byte stack buffer. This causes an immediate SIGSEGV in the cupsd root process. Combined with systemd's Restart=on-failure, an attacker can repeat the crash for sustained denial of service.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | cups | — | — |
| msrc | azl3_cups_2.4.16-1_on_azure_linux_3.0 | — | — |
| openprinting | cups | <= 2.4.16 | — |
| ubuntu | cups | — | — |
CVSS provenance
nvdv3.16.2MEDIUMCVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv4.0MEDIUM
vendor_ubuntu6.3MEDIUM
vendor_debian4.0MEDIUM
vendor_msrc4.0MEDIUM
vendor_redhat4.0MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2026-39314: OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems
osv·2026-04-07·CVSS 4.0
CVE-2026-39314 [MEDIUM] CVE-2026-39314: OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems
OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, an integer underflow vulnerability in _ppdCreateFromIPP() (cups/ppd-cache.c) allows any unprivileged local user to crash the cupsd root process by supplying a negative job-password-supported IPP attribute. The bounds check only caps the upper bound, so a negative value passes validation, is cast to size_t (wrapping to ~2^64), and is used as the length argument to memset() on a 33-byte stack buffer. This causes an immediate SIGSEGV in the cupsd root process. Combined with systemd's Restart=on-failure, an attacker can repeat the crash for sustained denial of service.
Ubuntu
CUPS regression
vendor_ubuntu·2026-06-15·CVSS 6.3
CVE-2026-27447 [MEDIUM] CUPS regression
Title: CUPS regression
Summary: USN-8405-1 introduced a regression in CUPS
USN-8405-1 fixed vulnerabilities in CUPS. The update introduced a
regression that cause CUPS to crash when parsing certain large printer PPD
files. This update fixes the problem.
Original advisory details:
Ariel Silver discovered that CUPS incorrectly handled username comparisons
during authorization checks. A local attacker could possibly use this issue
to gain unauthorized access to restricted operations. (CVE-2026-27447)
Asim Viladi Oglu Manizada discovered that CUPS incorrectly handled
notify-recipient-uri values in the RSS notifier. A remote attacker could
possibly use this issue to overwrite lp-writable files and cause a denial
of service. (CVE-2026-34978)
Jacob Newman discovered that CUPS incorrectly ha
Ubuntu
CUPS vulnerabilities
vendor_ubuntu·2026-06-08·CVSS 6.3
CVE-2026-41079 [MEDIUM] CUPS vulnerabilities
Title: CUPS vulnerabilities
Summary: Several security issues were fixed in CUPS.
Ariel Silver discovered that CUPS incorrectly handled username comparisons
during authorization checks. A local attacker could possibly use this issue
to gain unauthorized access to restricted operations. (CVE-2026-27447)
Asim Viladi Oglu Manizada discovered that CUPS incorrectly handled
notify-recipient-uri values in the RSS notifier. A remote attacker could
possibly use this issue to overwrite lp-writable files and cause a denial
of service. (CVE-2026-34978)
Jacob Newman discovered that CUPS incorrectly handled filter option strings
when processing job attributes. An attacker could use this issue to cause
CUPS to crash, resulting in a denial of service, or possibly execute
arbitrary code. (CVE-2026-34979
Red Hat
cups: CUPS: Denial of Service via integer underflow in IPP attribute handling
vendor_redhat·2026-04-07·CVSS 4.0
CVE-2026-39314 [MEDIUM] CWE-191 cups: CUPS: Denial of Service via integer underflow in IPP attribute handling
cups: CUPS: Denial of Service via integer underflow in IPP attribute handling
A flaw was found in CUPS, an open-source printing system. An unprivileged local user can exploit an integer underflow vulnerability by providing a negative job-password-supported Internet Printing Protocol (IPP) attribute. This manipulation causes the cupsd root process to crash, which can be repeatedly triggered to achieve a sustained Denial of Service (DoS) on the system.
Statement: This Moderate impact vulnerability in CUPS allows an unprivileged local user to trigger a denial of service by providing a specially crafted IPP attribute. This can repeatedly crash the `cupsd` root process, leading to a sustained denial of service on Red Hat Enterprise Linux systems where CUPS is enabled.
Mitigation: Mitigation
Microsoft
CUPS has an integer underflow in `_ppdCreateFromIPP` causes root cupsd crash via negative `job-password-supported`
vendor_msrc·2026-04-02·CVSS 4.0
CVE-2026-39314 [MEDIUM] CWE-191 CUPS has an integer underflow in `_ppdCreateFromIPP` causes root cupsd crash via negative `job-password-supported`
CUPS has an integer underflow in `_ppdCreateFromIPP` causes root cupsd crash via negative `job-password-supported`
Mariner: Mariner
GitHub_M: GitHub_M
Customer Action Required: Yes
Debian
CVE-2026-39314: cups - OpenPrinting CUPS is an open source printing system for Linux and other Unix-lik...
vendor_debian·2026·CVSS 4.0
CVE-2026-39314 [MEDIUM] CVE-2026-39314: cups - OpenPrinting CUPS is an open source printing system for Linux and other Unix-lik...
OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, an integer underflow vulnerability in _ppdCreateFromIPP() (cups/ppd-cache.c) allows any unprivileged local user to crash the cupsd root process by supplying a negative job-password-supported IPP attribute. The bounds check only caps the upper bound, so a negative value passes validation, is cast to size_t (wrapping to ~2^64), and is used as the length argument to memset() on a 33-byte stack buffer. This causes an immediate SIGSEGV in the cupsd root process. Combined with systemd's Restart=on-failure, an attacker can repeat the crash for sustained denial of service.
Scope: local
bookworm: open
bullseye: open
forky: open
sid: open
trixie: open
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-39314 cups: CUPS: Denial of Service via integer underflow in IPP attribute handling [fedora-all]
bugzilla·2026-04-08·CVSS 4.0
CVE-2026-39314 [MEDIUM] CVE-2026-39314 cups: CUPS: Denial of Service via integer underflow in IPP attribute handling [fedora-all]
CVE-2026-39314 cups: CUPS: Denial of Service via integer underflow in IPP attribute handling [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39314 cups: CUPS: Denial of Service via integer underflow in IPP attribute handling
bugzilla·2026-04-07·CVSS 4.0
CVE-2026-39314 [MEDIUM] CVE-2026-39314 cups: CUPS: Denial of Service via integer underflow in IPP attribute handling
CVE-2026-39314 cups: CUPS: Denial of Service via integer underflow in IPP attribute handling
OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, an integer underflow vulnerability in _ppdCreateFromIPP() (cups/ppd-cache.c) allows any unprivileged local user to crash the cupsd root process by supplying a negative job-password-supported IPP attribute. The bounds check only caps the upper bound, so a negative value passes validation, is cast to size_t (wrapping to ~2^64), and is used as the length argument to memset() on a 33-byte stack buffer. This causes an immediate SIGSEGV in the cupsd root process. Combined with systemd's Restart=on-failure, an attacker can repeat the crash for sustained denial of service.
Wiz
CVE-2026-39316 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-39316 [MEDIUM] CVE-2026-39316 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-39316 :
OpenPrinting CUPS vulnerability analysis and mitigation
OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, a use-after-free vulnerability exists in the CUPS scheduler (cupsd) when temporary printers are automatically deleted. cupsdDeleteTemporaryPrinters() in scheduler/printers.c calls cupsdDeletePrinter() without first expiring subscriptions that reference the printer, leaving cupsd_subscription_t.dest as a dangling pointer to freed heap memory. The dangling pointer is subsequently dereferenced at multiple code sites, causing a crash (denial of service) of the cupsd daemon. With heap grooming, this can be leveraged for code execution.
Source : NVD
## 4
Score
Published April 7, 2026
Wiz
CVE-2026-39314 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-39314 [MEDIUM] CVE-2026-39314 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-39314 :
OpenPrinting CUPS vulnerability analysis and mitigation
OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, an integer underflow vulnerability in _ppdCreateFromIPP() (cups/ppd-cache.c) allows any unprivileged local user to crash the cupsd root process by supplying a negative job-password-supported IPP attribute. The bounds check only caps the upper bound, so a negative value passes validation, is cast to size_t (wrapping to ~2^64), and is used as the length argument to memset() on a 33-byte stack buffer. This causes an immediate SIGSEGV in the cupsd root process. Combined with systemd's Restart=on-failure, an attacker can repeat the crash for sustained denial of service.
Source : NVD
##
2026-04-07
Published