CVE-2026-4682: HP DeskJet All in One RCE Vulnerability

CVE-2026-4682 Overview

CVE-2026-4682 is a stack-based buffer overflow [CWE-121] affecting certain HP DeskJet All-in-One multifunction printers (MFPs). The vulnerability resides in the device's handling of Web Services for Devices (WSD) scan requests. An attacker on the adjacent network can send a specially crafted WSD scan request that the MFP fails to validate properly, corrupting memory and enabling remote code execution on the device firmware.

WSD Scan is a Microsoft Windows–based network scanning protocol that lets a PC discover scanners and MFPs on a network without vendor-specific drivers. The vulnerability requires no authentication or user interaction.

Critical Impact
An unauthenticated attacker on the local network segment can achieve remote code execution on affected HP DeskJet MFPs by sending malformed WSD scan requests.

Affected Products

Certain HP DeskJet All-in-One MFP devices (see HP Support Document for the full model and firmware list)
Devices with WSD Scan service enabled on the network
HP MFP firmware versions prior to the vendor-supplied fix

Discovery Timeline

2026-04-15 - CVE-2026-4682 published to the National Vulnerability Database
2026-04-17 - Last updated in NVD database

Technical Details for CVE-2026-4682

Vulnerability Analysis

The flaw is a stack-based buffer overflow classified under [CWE-121]. The MFP exposes a WSD service that accepts SOAP-based scan requests over HTTP, typically on TCP port 3911 or a vendor-defined port. The service parses incoming WSD request fields and copies attacker-controlled data into a fixed-size stack buffer without enforcing length checks.

When the request exceeds the expected boundary, adjacent stack memory — including saved return addresses or function pointers — is overwritten. The corrupted control data is later dereferenced, redirecting execution to attacker-supplied content. Because the WSD listener runs as a privileged firmware process, successful exploitation yields code execution within the printer's control plane.

The attack vector is Adjacent Network, meaning the attacker must be on the same broadcast domain or routable LAN segment as the printer. No credentials are required and the user does not need to interact with the device.

Root Cause

The MFP's WSD request handler performs an unbounded copy of attacker-controlled fields from a SOAP scan request into a stack buffer. The parser does not validate length or structure before the copy operation, allowing the buffer boundary to be exceeded.

Attack Vector

An attacker scans the local network for printers advertising WSD via WS-Discovery multicast on 239.255.255.250:3702. After identifying a vulnerable HP DeskJet MFP, the attacker sends a crafted WSD scan request with oversized scan job parameters or malformed XML element values. The malformed payload overflows the stack buffer in the WSD handler, hijacks control flow, and runs attacker-supplied instructions on the device.

The vulnerability mechanism is documented in the HP Support Document. No verified public proof-of-concept code is available at the time of writing.

Detection Methods for CVE-2026-4682

Indicators of Compromise

Unexpected outbound network connections originating from HP DeskJet MFP IP addresses, particularly to external hosts or non-standard ports.
Anomalous WSD traffic patterns, including oversized SOAP envelopes or malformed XML directed at printer WSD endpoints.
Printer firmware crashes, spontaneous reboots, or unexplained service restarts in device logs.
New or unauthorized firmware versions reported by the device's management interface.

Detection Strategies

Inspect WSD scan request payloads at the network layer for oversized element values and non-conformant SOAP structures.
Baseline normal printer traffic and alert on deviations such as printers initiating connections to workstations or the internet.
Use network IDS signatures that flag malformed WS-Discovery and WSD scan SOAP messages targeting TCP printer service ports.

Monitoring Recommendations

Centralize printer syslog and SNMP trap data in a SIEM and correlate device reboots with WSD traffic spikes.
Monitor switch port mirror traffic for printers to identify lateral movement attempts originating from compromised MFPs.
Track firmware version inventory continuously and alert on unauthorized changes.

How to Mitigate CVE-2026-4682

Immediate Actions Required

Apply the HP firmware update referenced in the HP Support Document to all affected DeskJet MFP devices.
Disable the WSD Scan service on the MFP if scanning over WSD is not required for business operations.
Place printers on a segmented VLAN that restricts access to authorized print servers and workstations only.
Block inbound WSD discovery and scan traffic from untrusted network segments at the firewall and switch ACL layers.

Patch Information

HP has published firmware updates and configuration guidance in the HP Support Document. Administrators should consult the advisory for the specific firmware version that resolves CVE-2026-4682 on each affected DeskJet model. Apply updates through the HP Smart application, the device's Embedded Web Server, or HP's enterprise fleet management tools.

Workarounds

Disable WSD Scan from the printer's Embedded Web Server under Network → Advanced settings if patching is not immediately possible.
Restrict the printer's management network to a dedicated VLAN with strict ingress filtering on TCP/UDP printer service ports.
Block WS-Discovery multicast (239.255.255.250:3702) at network boundaries to prevent unauthorized discovery from adjacent segments.
Require IPsec or 802.1X authentication on printer-attached switch ports to limit who can reach the WSD listener.

bash

# Example: block WSD discovery and scan ports at a Linux gateway
iptables -A FORWARD -p udp --dport 3702 -j DROP
iptables -A FORWARD -p tcp --dport 3911 -j DROP
iptables -A FORWARD -d 239.255.255.250 -j DROP