Skip to content

cups: Local denial-of-service via cupsd.conf update and related issues

Moderate
zdohnal published GHSA-hxm8-vfpq-jrfc Nov 27, 2025

Package

cups (unix)

Affected versions

2.4.14 and older

Patched versions

2.4.15

Description

Summary

A user in the lpadmin group can use the cups web ui to change the config and insert a malicious line.
Then the cupsd process which runs as root will parse the new config and cause an out-of-bound write.

Details

The function get_addr_and_mask parses incorrectly ipv6 addresses.
Then in the code scheduler/conf.c:1897 :

if (i & 1)
   ip[i / 2] |= ipval;
else
   ip[i / 2] |= ipval << 16;

The attacker can make i be whatever negative value he wants, and ipval whatever hex number he wants.
We can control i with the number of : in the ipv6 address. There seems to be no limit to the number of : we can use.
And we control ipval with the actual numbers in the ipv6 address.
The out-of-bounds write isn't a single write, as all the numbers in the ipv6 address will be written.
image

PoC

  1. Create a linux machine. I used Ubuntu 24.04.2 LTS
  2. Create a user and add it to lpadmin group.
  3. build the cups with address sanitizers
CC=clang CXX=clang++ CFLAGS="-fsanitize=address -g -O1" CXXFLAGS="-fsanitize=address -g -O1" LDFLAGS="-fsanitize=address" ./configure
make -j$(nproc)
make install
  1. In a <Location /> tag of the cupsd.conf add the malicious ipv6 address.
image

Allow from [::2:3:6:9:c:::::::::::::4::::::::::::::::::::::3

  1. run ./cupsd -c /path/to/malicious/cupsd.conf -t

While debugging the poc, you can see that the attacker can completely control the i and ipval values.
image

Impact

A user in lpadmin group can do cause cupsd to do a stack based out-of-bound write.
This can potentially cause Dos or privilege escalation.
If the config allows us to control the cupsd.conf of remote machine's via the UI, this can potentially cause an RCE.

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Local
Attack complexity
Low
Privileges required
High
User interaction
None
Scope
Changed
Confidentiality
None
Integrity
None
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H

CVE ID

CVE-2025-61915

Weaknesses

Buffer Underwrite ('Buffer Underflow')

The product writes to a buffer using an index or pointer that references a memory location prior to the beginning of the buffer. Learn more on MITRE.

Improper Validation of Array Index

The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array. Learn more on MITRE.

Credits