SB2026041116 - Multiple vulnerabilities in OpenPrinting CUPS
Published: April 11, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Use-after-free (CVE-ID: CVE-2026-39316)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to use-after-free in cupsdDeleteTemporaryPrinters() in scheduler/printers.c when deleting temporary printers that still have subscriptions referencing them. A local user can create a temporary printer with a subscription and trigger dereference of the dangling subscription pointer to execute arbitrary code.
The dangling pointer is subsequently dereferenced at multiple code sites in the scheduler, and the advisory confirms denial of service with potential code execution through heap grooming.
2) Integer underflow (CVE-ID: CVE-2026-39314)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to integer underflow in _ppdCreateFromIPP() in cups/ppd-cache.c when processing a negative job-password-supported IPP attribute. A local user can supply a crafted IPP response to cause a denial of service.
Exploitation involves creating a local printer that points to a fake IPP printer on localhost, causing the cupsd root process to crash.
3) Out-of-bounds read (CVE-ID: N/A)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to out-of-bounds read in cupsdSetPrinterAttr() marker-types parsing in scheduler/printers.c when parsing marker-types attribute values that end with a trailing hyphen character. A local user can provide a specially crafted marker-types value to cause a denial of service.
Exploitation can occur through a malicious backend or a compromised printer supplying crafted IPP attributes.
Remediation
Cybersecurity Help is not aware of any official remediation provided by the vendor.