{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39316", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-06T19:31:07.266Z", "datePublished": "2026-04-07T17:00:26.801Z", "dateUpdated": "2026-04-09T15:42:40.861Z"}, "containers": {"cna": {"title": "CUPS has a use-after-free in `cupsdDeleteTemporaryPrinters` via dangling subscription pointer", "problemTypes": [{"descriptions": [{"cweId": "CWE-416", "lang": "en", "description": "CWE-416: Use After Free", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/OpenPrinting/cups/security/advisories/GHSA-pjv5-prqp-46rg", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/OpenPrinting/cups/security/advisories/GHSA-pjv5-prqp-46rg"}], "affected": [{"vendor": "OpenPrinting", "product": "cups", "versions": [{"version": "<= 2.4.16", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T17:00:26.801Z"}, "descriptions": [{"lang": "en", "value": "OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, a use-after-free vulnerability exists in the CUPS scheduler (cupsd) when temporary printers are automatically deleted. cupsdDeleteTemporaryPrinters() in scheduler/printers.c calls cupsdDeletePrinter() without first expiring subscriptions that reference the printer, leaving cupsd_subscription_t.dest as a dangling pointer to freed heap memory. The dangling pointer is subsequently dereferenced at multiple code sites, causing a crash (denial of service) of the cupsd daemon. With heap grooming, this can be leveraged for code execution."}], "source": {"advisory": "GHSA-pjv5-prqp-46rg", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-09T15:41:44.005836Z", "id": "CVE-2026-39316", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T15:42:40.861Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-39316", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-09T15:41:44.005836Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T15:42:32.655Z"}}], "cna": {"title": "CUPS has a use-after-free in `cupsdDeleteTemporaryPrinters` via dangling subscription pointer", "source": {"advisory": "GHSA-pjv5-prqp-46rg", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "OpenPrinting", "product": "cups", "versions": [{"status": "affected", "version": "<= 2.4.16"}]}], "references": [{"url": "https://github.com/OpenPrinting/cups/security/advisories/GHSA-pjv5-prqp-46rg", "name": "https://github.com/OpenPrinting/cups/security/advisories/GHSA-pjv5-prqp-46rg", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, a use-after-free vulnerability exists in the CUPS scheduler (cupsd) when temporary printers are automatically deleted. cupsdDeleteTemporaryPrinters() in scheduler/printers.c calls cupsdDeletePrinter() without first expiring subscriptions that reference the printer, leaving cupsd_subscription_t.dest as a dangling pointer to freed heap memory. The dangling pointer is subsequently dereferenced at multiple code sites, causing a crash (denial of service) of the cupsd daemon. With heap grooming, this can be leveraged for code execution."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-416", "description": "CWE-416: Use After Free"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T17:00:26.801Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39316", "state": "PUBLISHED", "dateUpdated": "2026-04-09T15:42:40.861Z", "dateReserved": "2026-04-06T19:31:07.266Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-07T17:00:26.801Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openprinting:cups:*:*:*:*:*:*:*:*", "matchCriteriaId": "8A2A4507-B2D7-43B8-B008-6EC2F5053FA9", "versionEndIncluding": "2.4.16", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, a use-after-free vulnerability exists in the CUPS scheduler (cupsd) when temporary printers are automatically deleted. cupsdDeleteTemporaryPrinters() in scheduler/printers.c calls cupsdDeletePrinter() without first expiring subscriptions that reference the printer, leaving cupsd_subscription_t.dest as a dangling pointer to freed heap memory. The dangling pointer is subsequently dereferenced at multiple code sites, causing a crash (denial of service) of the cupsd daemon. With heap grooming, this can be leveraged for code execution."}], "id": "CVE-2026-39316", "lastModified": "2026-04-16T18:08:46.140", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 4.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-07T17:16:37.230", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory", "Mitigation"], "url": "https://github.com/OpenPrinting/cups/security/advisories/GHSA-pjv5-prqp-46rg"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "cups: CUPS: Denial of Service and potential arbitrary code execution via use-after-free vulnerability when deleting temporary printers.", "id": "2456120", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456120"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "draft"}, "cwe": "CWE-825", "details": ["A flaw was found in CUPS, an open-source printing system. This vulnerability, known as a use-after-free, occurs in the CUPS scheduler when temporary printers are automatically removed. The system fails to properly manage memory, leaving a pointer to a freed memory location. An attacker could exploit this to cause the CUPS daemon to crash, leading to a denial of service. In more severe scenarios, this could potentially allow an attacker to execute arbitrary code."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, restrict network access to the CUPS daemon to only trusted hosts or localhost. This can be achieved by configuring firewall rules to block access to TCP port 631 from untrusted networks. For example, using `firewalld`:\n`sudo firewall-cmd --permanent --zone=public --remove-port=631/tcp`\n`sudo firewall-cmd --reload`\nAlternatively, configure CUPS to only listen on localhost by modifying the `Listen` directive in `/etc/cups/cupsd.conf` to `Listen localhost:631`. After modifying the configuration, the CUPS service must be restarted for changes to take effect, which may temporarily interrupt printing services:\n`sudo systemctl restart cups`"}, "name": "CVE-2026-39316", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "cups", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "cups", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "cups", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "cups", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "cups", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "rhcos", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2026-04-07T17:00:26Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-39316\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-39316\nhttps://github.com/OpenPrinting/cups/security/advisories/GHSA-pjv5-prqp-46rg"], "statement": "This Moderate impact vulnerability in CUPS arises from a use-after-free flaw within the scheduler when temporary printers are automatically deleted. Exploitation could lead to a denial of service of the CUPS daemon, and potentially arbitrary code execution. This affects Red Hat systems running CUPS where temporary printers are configured or utilized.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.4.16]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "cups", "source": "cna", "vendor": "OpenPrinting"}, "product": "cups", "vendor": "openprinting"}], "analysis": {"en": {"generated_at": "2026-04-08T13:51:44.067549+00:00", "value": {"mitigation_remediation": ["Upgrade OpenPrinting CUPS to the latest release (2.4.17 or later) which fixes the delete\u2011temporary\u2011printer bug.", "Disable the automatic deletion of temporary printers until a patch is applied.", "Restrict printer creation and deletion to trusted users only.", "Monitor cups daemon logs for unexpected crashes and apply the vendor patch promptly."], "summary": {"action": "Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The vulnerability affects installations of OpenPrinting CUPS version 2.4.16 and earlier on Linux and other Unix\u2011like operating systems. Any system that uses temporary printers that can be automatically deleted is impacted, as the flaw resides in the cups daemon\u2019s scheduler component.", "description_and_impact": "OpenPrinting CUPS contains a use\u2011after\u2011free bug in the function that deletes temporary printers. When cupsdDeleteTemporaryPrinters() frees a printer without expiring subscriptions that reference it, the subscription structure holds a dangling pointer to freed heap memory. Subsequent dereferences of that pointer crash the cups daemon, resulting in a denial of service. With carefully orchestrated heap grooming, this dangling reference can be leveraged for code execution, thereby elevating the threat beyond a simple crash.", "risk_and_exploitability": "The CVSS score of 4 indicates a moderate severity. The EPSS score is unavailable and the flaw is not listed in CISA\u2019s KEV catalog. The likely attack vector is local or privileged; an attacker who can create or delete temporary printers can trigger the use\u2011after\u2011free, which then causes a crash. Remote exploitation for code execution would require further steps such as heap grooming and privileged access, making it less straightforward to automate."}}}}, "created": "2026-04-08T19:36:30.384937+00:00", "updated": "2026-04-08T19:47:33.250479+00:00", "vendors": ["openprinting", "openprinting$PRODUCT$cups"]}