CUPS | Alexander V. Leonov

April Linux Patch Wednesday. In April, Linux vendors addressed 1,035 vulnerabilities - nearly twice as many as in March. One might assume that most of these would again be Linux Kernel vulnerabilities, but that's not the case! Linux Kernel vulnerabilities were relatively few - just 209. The remaining vulnerabilities are distributed across more than 200 affected products. Notably, two vulnerabilities show evidence of active exploitation in the wild:

🔻 RCE - Apache ActiveMQ (CVE-2026-34197). Remote code execution is possible via the Jolokia API (/api/jolokia/) with no authentication required. The vulnerability remained hidden in the codebase for 13 years before being discovered using AI. Listed in the CISA KEV since April 16. Numerous exploits are available on GitHub.

🔻 RCE - Chromium (CVE-2026-5281). A use-after-free vulnerability in Dawn (Chromium's graphics layer and WebGPU implementation) affects Google Chrome versions prior to 146.0.7680.178. A remote attacker who has gained control of the rendering process can execute arbitrary code via a specially crafted HTML page. Listed in the CISA KEV since April 1.

Public exploits are available, or signs of their existence have been observed, for another 133 (❗️) vulnerabilities. The most notable ones, in my opinion:

🔸 RCE - Cockpit (CVE-2026-4631). Cockpit is a web‑based tool for server administration in Linux systems, enabling users to manage servers, containers, storage, and network configurations through a browser interface. An attacker with network access to the Cockpit web service can send a single HTTP request to the login page, injecting malicious SSH options or commands and executing code on the Cockpit server - all without valid credentials.

🔸 RCE - CUPS (CVE-2026-34990 + CVE-2026-34980). CUPS (Common UNIX Printing System) is a printing system for Unix‑like operating systems, including Linux and macOS. A chain of these vulnerabilities allows a remote attacker without authentication to overwrite files with root permissions over the network, effectively gaining root access on a typical Linux system.

🔸 RCE - KVM Tool (CVE-2021-45464). KVM Tool is a lightweight tool for running virtual machines based on KVM (Kernel‑based Virtual Machine) in Linux. KVM Tool prior to commit 39181fc contains an out‑of‑bounds write vulnerability, allowing a guest OS user to execute arbitrary code on the host machine.

🔸 PathTrav - tar (npm) (CVE-2026-31802, CVE-2026-24842). Prior to version 7.5.11, the npm package allowed creating a symbolic link pointing outside the extraction directory, leading to file overwrites.

Other vulnerabilities worth paying attention to:

🔸 RCE - Handlebars (CVE-2026-33937), tiemu (CVE-2017-20225), Netwide Assembler (CVE-2026-6067), openexr (CVE-2026-34545), Axios (CVE-2026-40175), hdf5 (CVE-2026-29043)
🔸 CodeInj - GLPI (CVE-2025-66417), glances (CVE-2026-30930, CVE-2026-32611), Handlebars (CVE-2026-33938, CVE-2026-33940), dynaconf (CVE-2026-33154), icalendar (CVE-2026-33635)
🔸 SFB - ormar (CVE-2026-27953), cpp-httplib (CVE-2026-34441), Safari (CVE-2026-20643), rack (CVE-2026-34835), wolfssl (CVE-2026-5194), Traefik (CVE-2026-32695), glances (CVE-2026-32632, CVE-2026-32634), Vert.x-Web (CVE-2026-1002), ecdsa (CVE-2026-33936), glibc (CVE-2026-4438), incus (CVE-2026-33542), Mongoose (CVE-2026-2968)
🔸 AuthBypass - scitokens_cpp_library (CVE-2026-32725, CVE-2026-32726), Node.js pbkdf2 (CVE-2026-32633), rack-session (CVE-2026-39324), Traefik (CVE-2026-33433), grpc (CVE-2026-33186), nltk (CVE-2026-33231)
🔸 ArbFileWrite - Rust (CVE-2026-33056)
🔸 CmdInj - Netty (CVE-2026-33870), awstats (CVE-2025-63261)
🔸 EoP - Keycloak (CVE-2026-4636), QEMU (CVE-2026-33711), glances (CVE-2026-33641)

🗒 Full Vulristics report

December Linux Patch Wednesday. In December, Linux vendors began fixing 650 vulnerabilities, roughly the same as in November. Of these, 399 are in the Linux Kernel. No vulnerabilities with signs of in-the-wild exploitation were detected.

For 29 vulnerabilities, public exploits are available or there are indications of their existence. The following can be highlighted:

🔸 RCE - JupyterLab Extension Template (CVE-2024-39700), fontTools (CVE-2025-66034), Cacti (CVE-2025-66399), CUPS (CVE-2025-64524)
🔸 XXE - Apache Tika (CVE-2025-66516)
🔸 SQLi - phpPgAdmin (CVE-2025-60797, CVE-2025-60798)
🔸 AuthBypass - cpp-httplib (CVE-2025-66570)
🔸 OpenRedirect - Chromium (CVE-2024-13983)

🗒 Full Vulristics report

На русском

September Linux Patch Wednesday. In September, Linux vendors began addressing 748 vulnerabilities, slightly fewer than in August. Of these, 552 are in the Linux Kernel. The share of Linux Kernel vulnerabilities is growing! One vulnerability shows signs of being actively exploited (CISA KEV):

🔻 MemCor - Chromium (CVE-2025-10585). Public exploits are available.

For 63 (❗️) vulnerabilities, public exploits are available or there are signs they exist. Notable ones include:

🔸 RCE - CivetWeb (CVE-2025-55763), ImageMagick (CVE-2025-55298), Asterisk (CVE-2025-49832), libbiosig (CVE-2025-46411 and 22 other CVEs), sail (CVE-2025-32468 and 7 other CVEs)
🔸 AuthBypass - OAuth2 Proxy (CVE-2025-54576), CUPS (CVE-2025-58060)
🔸 EoP - UDisks (CVE-2025-8067)
🔸 SQLi - Django (CVE-2025-57833)
🔸 SFB - CUPS (CVE-2025-58364)

🗒 Full Vulristics report

На русском

Continuing the story about recent CUPS vulnerabilities: vulnerable hosts will be used by attackers to amplify DDoS attacks.

Researchers from Akamai Technologies wrote about this. An attacker can send a special packet to a vulnerable host with CUPS: "add a printer located at this IP address". CUPS will start sending large IPP/HTTP requests to the specified IP address. Thus, vulnerable hosts can be organized in such a way that they start DDoSing IP addresses chosen by the attacker.

Akamai has discovered more than 198,000 vulnerable hosts with CUPS, of which more than 58,000 (34%) can be used for DDoS attacks. Of these, hundreds demonstrated an "infinite loop" of requests in response to HTTP/404.

Assuming that all 58,000+ vulnerable hosts are used for the attack, they can cause a traffic flow of 1 GB to 6 GB per attacker's udp packet. The victim will have to handle 2.6 million TCP connections and HTTP requests.

На русском

About Remote Code Execution - CUPS cups-browsed (CVE-2024-47176) and other CUPS vulnerabilities. On September 26, researcher Simone Margaritelli (evilsocket) disclosed 4 vulnerabilities of the CUPS print server for Linux systems (CVE-2024-47176, CVE-2024-47076, CVE-2024-47175, CVE-2024-47177) in the cups-browsed, libcupsfilters, libppd and cups-filters components.

The vulnerability chain allows a remote unauthenticated attacker to silently replace existing printer IPP URLs with malicious ones by sending special packets to 631/UDP. Then, when a print job is initiated, an RCE occurs. Mass exploitation is possible in local networks via mDNS or DNS-SD.

The OpenPrinting/cups-browsed bulletin contains a PoC of the exploit.

How many potentially vulnerable hosts are accessible from the Internet?
🔻 According to Qualys and Rapid7 score - 75000.

No patches yet. 🤷‍♂️ So, let's wait, check network accessed and disable cups-browsed, where it is not needed.

На русском

This is my personal blog. The opinions expressed here are my own and not of my employer. All product names, logos, and brands are property of their respective owners. All company, product and service names used here for identification purposes only. Use of these names, logos, and brands does not imply endorsement. You can freely use materials of this site, but it would be nice if you place a link on https://avleonov.com and send message about it at me@avleonov.com or contact me any other way.

Alexander V. Leonov

Vulnerability Management and more

Tag Archives: CUPS

April Linux Patch Wednesday

December Linux Patch Wednesday

September Linux Patch Wednesday

Continuing the story about recent CUPS vulnerabilities: vulnerable hosts will be used by attackers to amplify DDoS attacks

About Remote Code Execution - CUPS cups-browsed (CVE-2024-47176) and other CUPS vulnerabilities