CVE-2026-39314
Received Received - Intake
Integer Underflow in OpenPrinting CUPS Causes Root Process Crash

Publication date: 2026-04-07

Last updated on: 2026-04-16

Assigner: GitHub, Inc.

Description
OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, an integer underflow vulnerability in _ppdCreateFromIPP() (cups/ppd-cache.c) allows any unprivileged local user to crash the cupsd root process by supplying a negative job-password-supported IPP attribute. The bounds check only caps the upper bound, so a negative value passes validation, is cast to size_t (wrapping to ~2^64), and is used as the length argument to memset() on a 33-byte stack buffer. This causes an immediate SIGSEGV in the cupsd root process. Combined with systemd's Restart=on-failure, an attacker can repeat the crash for sustained denial of service.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-07
Last Modified
2026-04-16
Generated
2026-05-07
AI Q&A
2026-04-07
EPSS Evaluated
2026-05-05
NVD
CVE-2026-39314
EUVD
EUVD-2026-19805
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openprinting cups to 2.4.16 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-191 The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result.
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.


Can you explain this vulnerability to me?

CVE-2026-39314 is an integer underflow vulnerability in the CUPS printing system, specifically in the function _ppdCreateFromIPP() within cups/ppd-cache.c, affecting versions up to 2.4.16.

The vulnerability occurs when the function processes the IPP attribute job-password-supported, which should be a non-negative integer indicating the maximum password length. However, the code only checks if the value is below an upper bound (32) but does not check if it is negative.

If a negative value is supplied, it passes the upper-bound check and is cast to an unsigned size_t type, causing an integer underflow that wraps the value to a very large positive number. This large number is then used as the length argument in a memset() call on a small 33-byte stack buffer, causing a buffer overflow and immediate crash (SIGSEGV) of the root cupsd daemon.

An unprivileged local user can exploit this by running a malicious IPP printer server on localhost that returns a negative job-password-supported value, then sending a CUPS-Create-Local-Printer request pointing to this fake printer. This triggers the crash repeatedly, causing a denial of service.


How can this vulnerability impact me? :

This vulnerability allows any unprivileged local user to cause an immediate and deterministic crash of the root cupsd daemon, which manages printing services.

The impact is a denial of service (DoS) on the printing system, as the cupsd process crashes and restarts repeatedly due to systemd's Restart=on-failure setting.

There is no remote exploit vector, so local access is required. The vulnerability does not allow remote code execution or privilege escalation, only availability disruption.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring for repeated crashes or segmentation faults (SIGSEGV) in the cupsd root process, especially if the systemd service for cupsd is repeatedly restarting due to failures.

Since the vulnerability is triggered by a negative job-password-supported IPP attribute sent locally, detection involves checking for unusual or malicious IPP requests that include negative integer values for this attribute.

Suggested commands to detect signs of exploitation or vulnerability include:

  • Check the status and restart count of the cupsd service: `systemctl status cups` and `journalctl -u cups` to look for repeated crashes.
  • Use `grep` or similar tools to search cupsd logs for segmentation faults or crash messages.
  • Monitor local IPP traffic for suspicious attributes using packet capture tools like `tcpdump` or `wireshark` on localhost interface, filtering for IPP requests with the `job-password-supported` attribute.
  • Run a proof-of-concept test (if safe and in a controlled environment) by attempting to send a negative `job-password-supported` attribute in an IPP request to see if the cupsd process crashes.

What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include:

  • Restrict local user access to the cupsd socket to prevent unprivileged users from sending malicious IPP requests.
  • Avoid using the CUPS-Create-Local-Printer operation from untrusted local users or disable it if possible.
  • Apply any available patches or updates that add the necessary lower-bound checks to the `_ppdCreateFromIPP()` function to prevent negative values from causing underflow.
  • If patching is not immediately possible, consider temporarily stopping the cupsd service or running it with restricted permissions to reduce the impact of repeated crashes.
  • Monitor the cupsd service for crashes and restart loops to detect exploitation attempts.

Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart