CVE-2026-39047 Overview
CVE-2026-39047 is a stack-based buffer overflow [CWE-121] affecting the EPSON L14150 multifunction printer running firmware FL27PB. The flaw resides in the RAW Printing Service, commonly known as JetDirect, which listens on TCP port 9100. A remote attacker can send a crafted print job to the exposed port and trigger memory corruption in the printer firmware. Successful exploitation causes the device to crash and stop processing print jobs, producing a denial-of-service condition. The CVSS vector indicates that exploitation requires no authentication, no user interaction, and can be performed across the network. The advisory describes potential arbitrary code execution, though the published impact metrics focus on availability loss.
Critical Impact
Unauthenticated remote attackers reachable on TCP/9100 can crash the printer and potentially execute arbitrary code in firmware context, disrupting print services across the network.
Affected Products
- EPSON L14150 multifunction printer
- Firmware version FL27PB
- Any deployment exposing the RAW Printing Service (JetDirect) on TCP port 9100
Discovery Timeline
- 2026-05-20 - CVE-2026-39047 published to the National Vulnerability Database
- 2026-05-20 - Last updated in NVD database
Technical Details for CVE-2026-39047
Vulnerability Analysis
The vulnerability is a stack-based buffer overflow [CWE-121] in the firmware routine that handles incoming print data on TCP port 9100. JetDirect, also referred to as the RAW Printing Service, accepts unstructured print streams without any session authentication. When the firmware copies attacker-controlled data into a fixed-size stack buffer, it fails to validate the input length. The overflow corrupts adjacent stack memory, including saved return addresses and control structures used by the print spooler task.
The attack is network-reachable and requires no privileges or user interaction. Confidentiality and integrity impacts are reported as none, while availability impact is high. In practice, this means the most reliable outcome is a firmware crash and printer reboot loop. The advisory text notes that arbitrary code execution is possible, which would depend on the firmware's memory protections and the attacker's ability to bypass them.
Root Cause
The root cause is missing bounds checking on data read from the JetDirect socket before it is written into a stack buffer. The firmware treats the print stream as trusted and copies bytes until a terminator or session close, allowing an attacker to write past the buffer boundary into saved control data.
Attack Vector
An attacker establishes a TCP connection to port 9100 on the target printer and sends an oversized RAW print payload. No PJL or PostScript dialect is required because the vulnerable path executes before higher-level parsing. The vulnerability manifests on the network-facing print service. Refer to the GitHub CVE-PORT-9100 Repository and the GitHub Gist Example for technical details published by the reporter.
Detection Methods for CVE-2026-39047
Indicators of Compromise
- Printer becomes unresponsive, reboots unexpectedly, or stops accepting jobs after receiving network traffic on TCP/9100
- Unsolicited inbound TCP connections to port 9100 from hosts that are not authorized print servers
- Long or malformed payloads sent to the JetDirect service from internal or external sources
Detection Strategies
- Inspect network flow records for connections to TCP/9100 originating outside the print server VLAN or from untrusted segments
- Alert on TCP/9100 sessions containing payloads that exceed normal print job size envelopes or that arrive without prior IPP or LPD negotiation
- Correlate printer SNMP availability traps with concurrent connections to port 9100 to identify exploitation attempts
Monitoring Recommendations
- Enable NetFlow or IPFIX on switches serving printer subnets to baseline TCP/9100 traffic patterns
- Forward printer syslog and SNMP events to a central log platform to catch crash and reboot loops
- Add an IDS signature for oversized RAW print payloads targeting EPSON L14150 devices on firmware FL27PB
How to Mitigate CVE-2026-39047
Immediate Actions Required
- Block inbound TCP/9100 at perimeter firewalls and restrict the port to authorized print servers only via internal ACLs
- Place affected EPSON L14150 devices on an isolated printer VLAN with no direct user or internet access
- Disable the RAW Printing Service on the printer if IPP or LPD can be used instead for production printing
- Inventory all EPSON L14150 units and confirm firmware level to identify devices running FL27PB
Patch Information
No vendor patch is referenced in the NVD entry at the time of publication. Monitor the EPSON support portal for firmware updates that supersede FL27PB and apply them once available. Until a fixed firmware build is released, network segmentation and access control are the primary mitigations.
Workarounds
- Restrict TCP/9100 access using host firewalls or upstream ACLs so that only the designated print server can reach the printer
- Route all print jobs through a hardened print server that validates job size and source, rather than allowing direct client-to-printer printing
- Disable JetDirect or RAW printing in the printer's administrative web interface where business workflows allow
# Example ACL restricting TCP/9100 to a single print server
# Replace PRINT_SERVER_IP and PRINTER_IP with your environment values
iptables -A FORWARD -p tcp -s PRINT_SERVER_IP -d PRINTER_IP --dport 9100 -j ACCEPT
iptables -A FORWARD -p tcp -d PRINTER_IP --dport 9100 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
