CVE-2026-41079

OpenPrinting CUPS: Heap out-of-bounds read in SNMP supply-level polling leaks stack memory to authenticated users

CVSS 4.3 MEDIUMEPSS 0.4%CWE-125 CWE-200

In short

OpenPrinting CUPS has a flaw in its SNMP supply-level polling that allows an attacker to leak up to 176 bytes of memory from the printer server. This leaked data becomes visible to authenticated users when they check printer information, potentially exposing sensitive information.

Technical detail

A network-adjacent attacker can send a crafted SNMP response to trigger an out-of-bounds heap read in the CUPS SNMP backend, leaking stack memory that is converted from UTF-16 to UTF-8 and stored as printer supply descriptions. The leaked data is then exposed to authenticated users via IPP Get-Printer-Attributes responses and the web interface. Pre-condition: SNMP backend enabled and network access to CUPS; impact is information disclosure of stack contents (CWE-125, CWE-200).

Summary generated and translated by AI from the official description.

OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. Prior to 2.4.17, a network-adjacent attacker can send a crafted SNMP response to the CUPS SNMP backend that causes an out-of-bounds read of up to 176 bytes past a stack buffer. The leaked memory is converted from UTF-16 to UTF-8 and stored as printer supply description strings, which are subsequently visible to authenticated users via IPP Get-Printer-Attributes responses and the CUPS web interface. This vulnerability is fixed in 2.4.17.

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Affected products

OpenPrinting · cups

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/OpenPrinting/cups/commit/b7c2525a885f528d243c3a92197ca99609b3f080 https://github.com/OpenPrinting/cups/commit/d7fe0f521ff3b24676511e747b058362b9a20737 https://github.com/OpenPrinting/cups/security/advisories/GHSA-6wpw-g8g6-wvrv