CVE-2026-41079 Overview
CVE-2026-41079 is an out-of-bounds read vulnerability in OpenPrinting CUPS, the open source printing system for Linux and other Unix-like operating systems. A network-adjacent attacker can send a crafted SNMP response to the CUPS SNMP backend that causes an out-of-bounds read of up to 176 bytes past a stack buffer. The leaked memory is converted from UTF-16 to UTF-8 and stored as printer supply description strings, which are subsequently visible to authenticated users via IPP Get-Printer-Attributes responses and the CUPS web interface.
Critical Impact
Network-adjacent attackers can exploit this vulnerability to leak sensitive stack memory contents (up to 176 bytes) through printer supply description strings, potentially exposing sensitive data to authenticated users.
Affected Products
- OpenPrinting CUPS versions prior to 2.4.17
Discovery Timeline
- 2026-04-24 - CVE-2026-41079 published to NVD
- 2026-04-27 - Last updated in NVD database
Technical Details for CVE-2026-41079
Vulnerability Analysis
This vulnerability exists in the SNMP backend of OpenPrinting CUPS, specifically in how SNMP string values are processed. The flaw occurs when handling SNMP responses from network-adjacent devices, where insufficient bounds checking on the num_bytes parameter allows reading beyond the allocated stack buffer.
The vulnerability is classified as CWE-125 (Out-of-Bounds Read). When exploited, the CUPS SNMP backend reads up to 176 bytes beyond the intended buffer boundary. This data undergoes UTF-16 to UTF-8 conversion and is stored as printer supply description strings. These strings become accessible to authenticated users through IPP Get-Printer-Attributes responses and the CUPS web interface, creating an information disclosure channel.
The attack requires network adjacency (same local network segment), meaning remote exploitation over the internet is not directly possible without additional network access.
Root Cause
The root cause is improper bounds checking when processing SNMP string values in the CUPS SNMP backend. The num_bytes parameter for SNMP string values was not properly limited, allowing the backend to read beyond the allocated stack buffer when processing maliciously crafted SNMP responses.
Attack Vector
The attack requires network-adjacent access to send crafted SNMP responses to a vulnerable CUPS installation. An attacker on the same network segment can:
- Intercept or respond to SNMP queries from the CUPS backend
- Send a specially crafted SNMP response with malformed string length parameters
- Trigger the out-of-bounds read, causing stack memory to be copied into printer supply description strings
- The leaked memory becomes visible to authenticated users through IPP queries or the web interface
The following patch from the security fix shows the changes made to address this vulnerability:
/*
* SNMP functions for CUPS.
*
- * Copyright © 2020-2024 by OpenPrinting.
+ * Copyright © 2020-2026 by OpenPrinting.
* Copyright © 2007-2019 by Apple Inc.
* Copyright © 2006-2007 by Easy Software Products, all rights reserved.
*
Source: GitHub Commit Fix
The fix introduces proper bounds checking to limit num_bytes for SNMP string values, preventing the out-of-bounds read condition.
Detection Methods for CVE-2026-41079
Indicators of Compromise
- Unusual or unexpected content in printer supply description strings that may contain binary data or memory artifacts
- Anomalous SNMP traffic patterns on the local network targeting CUPS servers
- Printer attributes containing non-printable or garbled characters in supply descriptions
- Unexpected IPP Get-Printer-Attributes queries from unauthorized users
Detection Strategies
- Monitor SNMP traffic for malformed or suspiciously large SNMP responses targeting port 161 UDP
- Implement network segmentation to isolate print servers and limit SNMP exposure
- Review CUPS logs for unusual printer discovery activity or SNMP backend errors
- Deploy network intrusion detection rules to identify crafted SNMP packets
Monitoring Recommendations
- Enable detailed logging for the CUPS SNMP backend and monitor for parsing errors
- Implement alerting on unusual IPP Get-Printer-Attributes request patterns
- Monitor for changes in printer supply description strings that contain unexpected binary or non-printable data
- Track network-adjacent hosts querying CUPS services
How to Mitigate CVE-2026-41079
Immediate Actions Required
- Upgrade OpenPrinting CUPS to version 2.4.17 or later immediately
- Disable SNMP printer discovery if not required for your environment
- Implement network segmentation to restrict adjacent network access to CUPS servers
- Review and restrict access to the CUPS web interface and IPP endpoints
Patch Information
OpenPrinting has released version 2.4.17 which addresses this vulnerability. The fix properly limits the num_bytes parameter for SNMP string values, preventing the out-of-bounds read condition. Security patches are available in the following commits:
For complete details, see the GitHub Security Advisory.
Workarounds
- Disable SNMP printer discovery by configuring CUPS to not use the SNMP backend for printer detection
- Implement firewall rules to block SNMP traffic (UDP port 161) to CUPS servers from untrusted network segments
- Restrict network adjacency by placing CUPS servers on isolated VLANs with controlled access
- Limit authentication to the CUPS web interface and IPP endpoints to reduce information exposure
# Configuration example - Disable SNMP backend discovery
# Edit /etc/cups/cups-browsed.conf and set:
BrowseProtocols none
# Or specifically exclude SNMP:
# Restart CUPS after configuration changes
sudo systemctl restart cups
sudo systemctl restart cups-browsed
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
