CVE-2026-39316
Received Received - Intake
Use-After-Free in OpenPrinting CUPS Scheduler Causes DoS, RCE

Publication date: 2026-04-07

Last updated on: 2026-04-16

Assigner: GitHub, Inc.

Description
OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, a use-after-free vulnerability exists in the CUPS scheduler (cupsd) when temporary printers are automatically deleted. cupsdDeleteTemporaryPrinters() in scheduler/printers.c calls cupsdDeletePrinter() without first expiring subscriptions that reference the printer, leaving cupsd_subscription_t.dest as a dangling pointer to freed heap memory. The dangling pointer is subsequently dereferenced at multiple code sites, causing a crash (denial of service) of the cupsd daemon. With heap grooming, this can be leveraged for code execution.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-07
Last Modified
2026-04-16
Generated
2026-05-07
AI Q&A
2026-04-07
EPSS Evaluated
2026-05-05
NVD
CVE-2026-39316
EUVD
EUVD-2026-19806
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openprinting cups to 2.4.16 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The CVE-2026-39316 vulnerability in CUPS primarily causes denial of service and potential local code execution due to a use-after-free flaw in the scheduler when deleting temporary printers. It does not directly impact confidentiality or integrity of data.

Since the vulnerability does not involve unauthorized data access, disclosure, or modification, it does not inherently violate data protection requirements of standards like GDPR or HIPAA.

However, the denial of service caused by the crash of the cupsd daemon could affect availability, which is a component of many compliance frameworks. Organizations relying on CUPS for printing services might experience service disruption, potentially impacting operational continuity.

There is no explicit mention in the provided resources about compliance impact or mitigation steps related to regulatory standards.


Can you explain this vulnerability to me?

CVE-2026-39316 is a use-after-free vulnerability in the CUPS scheduler (cupsd) affecting versions up to 2.4.16. It occurs when temporary printers are deleted without first expiring subscriptions that reference them. This leads to dangling pointers in subscription structures pointing to freed memory.

Specifically, the function cupsdDeleteTemporaryPrinters() deletes temporary printers by calling cupsdDeletePrinter() without expiring subscriptions first. As a result, subscriptions still reference freed printer memory, which is later dereferenced, causing crashes (denial of service).

Because the scheduler is single-threaded and heap allocations are predictable, an attacker can manipulate heap memory to reuse the freed printer structure, potentially controlling function pointers and achieving arbitrary code execution.


How can this vulnerability impact me? :

This vulnerability can cause the cupsd daemon to crash, resulting in denial of service and loss of printing services until the daemon is manually restarted.

If the cupsd daemon is configured to auto-restart, the crash can loop indefinitely, causing persistent service disruption.

Additionally, due to deterministic heap reuse and function pointer dereferencing, an attacker with local access can potentially execute arbitrary code with the privileges of the cupsd daemon.

The vulnerability requires local access to the cupsd socket, which by default allows unauthenticated localhost users to create printers and subscriptions, making exploitation feasible on affected systems.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability manifests as a use-after-free crash in the CUPS scheduler daemon (cupsd) when temporary printers with active subscriptions are deleted. Detection involves monitoring for cupsd crashes or denial of service symptoms related to printing services.

A proof of concept involves creating a temporary printer with a subscription and triggering the scheduler loop to delete it, causing the crash. While no specific detection commands are provided, administrators can monitor cupsd logs for crashes or restart loops.

Since the vulnerability requires local access to the cupsd socket and involves printer and subscription creation, commands to check printer and subscription configurations or to monitor cupsd daemon status may help detect exploitation attempts.


What immediate steps should I take to mitigate this vulnerability?

There is no configuration-level workaround available to fully mitigate this vulnerability.

Immediate mitigation steps include restricting access to printer creation and subscription operations by enabling authentication in the cupsd.conf configuration file. This limits unauthenticated localhost access, which is the default and allows exploitation.

Administrators should monitor for updates or patches from the OpenPrinting project that fix the issue by ensuring subscriptions are expired before deleting printers.

Until a patch is applied, consider limiting local user access to the cupsd socket to trusted users only.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart