Description
OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, an integer underflow vulnerability in _ppdCreateFromIPP() (cups/ppd-cache.c) allows any unprivileged local user to crash the cupsd root process by supplying a negative job-password-supported IPP attribute. The bounds check only caps the upper bound, so a negative value passes validation, is cast to size_t (wrapping to ~2^64), and is used as the length argument to memset() on a 33-byte stack buffer. This causes an immediate SIGSEGV in the cupsd root process. Combined with systemd's Restart=on-failure, an attacker can repeat the crash for sustained denial of service.
Published: 2026-04-07
Score: 4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

The integer underflow occurs in the _ppdCreateFromIPP function when the job-password-supported IPP attribute is supplied as a negative value. The bounds check only caps the upper limit, allowing the negative value to pass validation and be cast to a size_t. That value is then used as the length argument to memset on a 33‑byte stack buffer, causing an immediate segmentation fault in the cupsd root process. The result is a denial of service that can be repeatedly triggered by an unprivileged local user.

Affected Systems

OpenPrinting CUPS, versions 2.4.16 and earlier, running on Linux and other Unix‑like operating systems, is affected. This includes the standard cupsd service that processes print jobs and is often started automatically via systemd.

Risk and Exploitability

The CVSS score of 4.0 indicates a low overall risk, and the exploit probability is not published. The vulnerability has not been listed in the CISA KEV catalog, suggesting it has not yet been widely exploited. The attack vector is local; an unprivileged user can send a crafted print job containing a negative job-password-supported attribute to trigger the crash. Because systemd is configured to restart cupsd on failure, the denial of service can be sustained until the service is patched or stopped. No remote exploitation path is reported.

Generated by OpenCVE AI on April 7, 2026 at 22:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update CUPS to version 2.4.17 or later according to the advisory at https://github.com/OpenPrinting/cups/security/advisories/GHSA-pp8w-2g52-7vj7
  • If an immediate upgrade is not possible, restrict local access to the cupsd service or disable printing until the update is applied
  • Monitor system logs for repeated SIGSEGV failures that may indicate survivors of the crash

Generated by OpenCVE AI on April 7, 2026 at 22:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:openprinting:cups:*:*:*:*:*:*:*:*

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Openprinting
Openprinting cups
Vendors & Products Openprinting
Openprinting cups

Wed, 08 Apr 2026 12:30:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, an integer underflow vulnerability in _ppdCreateFromIPP() (cups/ppd-cache.c) allows any unprivileged local user to crash the cupsd root process by supplying a negative job-password-supported IPP attribute. The bounds check only caps the upper bound, so a negative value passes validation, is cast to size_t (wrapping to ~2^64), and is used as the length argument to memset() on a 33-byte stack buffer. This causes an immediate SIGSEGV in the cupsd root process. Combined with systemd's Restart=on-failure, an attacker can repeat the crash for sustained denial of service.
Title CUPS has an integer underflow in `_ppdCreateFromIPP` causes root cupsd crash via negative `job-password-supported`
Weaknesses CWE-191
References
Metrics cvssV3_1

{'score': 4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Openprinting Cups
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-07T18:34:19.683Z

Reserved: 2026-04-06T19:31:07.266Z

Link: CVE-2026-39314

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-07T17:16:37.073

Modified: 2026-04-16T18:13:32.090

Link: CVE-2026-39314

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-07T16:59:23Z

Links: CVE-2026-39314 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:47:34Z

Weaknesses