Description
OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, a use-after-free vulnerability exists in the CUPS scheduler (cupsd) when temporary printers are automatically deleted. cupsdDeleteTemporaryPrinters() in scheduler/printers.c calls cupsdDeletePrinter() without first expiring subscriptions that reference the printer, leaving cupsd_subscription_t.dest as a dangling pointer to freed heap memory. The dangling pointer is subsequently dereferenced at multiple code sites, causing a crash (denial of service) of the cupsd daemon. With heap grooming, this can be leveraged for code execution.
Published: 2026-04-07
Score: 4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

OpenPrinting CUPS contains a use‑after‑free bug in the function that deletes temporary printers. When cupsdDeleteTemporaryPrinters() frees a printer without expiring subscriptions that reference it, the subscription structure holds a dangling pointer to freed heap memory. Subsequent dereferences of that pointer crash the cups daemon, resulting in a denial of service. With carefully orchestrated heap grooming, this dangling reference can be leveraged for code execution, thereby elevating the threat beyond a simple crash.

Affected Systems

The vulnerability affects installations of OpenPrinting CUPS version 2.4.16 and earlier on Linux and other Unix‑like operating systems. Any system that uses temporary printers that can be automatically deleted is impacted, as the flaw resides in the cups daemon’s scheduler component.

Risk and Exploitability

The CVSS score of 4 indicates a moderate severity. The EPSS score is unavailable and the flaw is not listed in CISA’s KEV catalog. The likely attack vector is local or privileged; an attacker who can create or delete temporary printers can trigger the use‑after‑free, which then causes a crash. Remote exploitation for code execution would require further steps such as heap grooming and privileged access, making it less straightforward to automate.

Generated by OpenCVE AI on April 8, 2026 at 13:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenPrinting CUPS to the latest release (2.4.17 or later) which fixes the delete‑temporary‑printer bug.
  • Disable the automatic deletion of temporary printers until a patch is applied.
  • Restrict printer creation and deletion to trusted users only.
  • Monitor cups daemon logs for unexpected crashes and apply the vendor patch promptly.

Generated by OpenCVE AI on April 8, 2026 at 13:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:openprinting:cups:*:*:*:*:*:*:*:*

Thu, 09 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Openprinting
Openprinting cups
Vendors & Products Openprinting
Openprinting cups

Wed, 08 Apr 2026 12:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, a use-after-free vulnerability exists in the CUPS scheduler (cupsd) when temporary printers are automatically deleted. cupsdDeleteTemporaryPrinters() in scheduler/printers.c calls cupsdDeletePrinter() without first expiring subscriptions that reference the printer, leaving cupsd_subscription_t.dest as a dangling pointer to freed heap memory. The dangling pointer is subsequently dereferenced at multiple code sites, causing a crash (denial of service) of the cupsd daemon. With heap grooming, this can be leveraged for code execution.
Title CUPS has a use-after-free in `cupsdDeleteTemporaryPrinters` via dangling subscription pointer
Weaknesses CWE-416
References
Metrics cvssV3_1

{'score': 4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Openprinting Cups
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-09T15:42:40.861Z

Reserved: 2026-04-06T19:31:07.266Z

Link: CVE-2026-39316

cve-icon Vulnrichment

Updated: 2026-04-09T15:42:32.655Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-07T17:16:37.230

Modified: 2026-04-16T18:08:46.140

Link: CVE-2026-39316

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-07T17:00:26Z

Links: CVE-2026-39316 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:47:33Z

Weaknesses