VYPR
← All advisories
Medium severity4.3NVD Advisory· Published Apr 24, 2026· Updated Apr 27, 2026

CVE-2026-41079

CVE-2026-41079

Description

OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. Prior to 2.4.17, a network-adjacent attacker can send a crafted SNMP response to the CUPS SNMP backend that causes an out-of-bounds read of up to 176 bytes past a stack buffer. The leaked memory is converted from UTF-16 to UTF-8 and stored as printer supply description strings, which are subsequently visible to authenticated users via IPP Get-Printer-Attributes responses and the CUPS web interface. This vulnerability is fixed in 2.4.17.

Affected products

1

Patches

2
b7c2525a885f

Limit num_bytes for SNMP string values.

https://github.com/OpenPrinting/cupsMichael R SweetApr 13, 2026via nvd-ref
commit
2 files changed · +9 5
  • cups/snmp.c+6 2 modified
    @@ -1,7 +1,7 @@
 /*
  * SNMP functions for CUPS.
  *
- * Copyright © 2020-2024 by OpenPrinting.
+ * Copyright © 2020-2026 by OpenPrinting.
  * Copyright © 2007-2019 by Apple Inc.
  * Copyright © 2006-2007 by Easy Software Products, all rights reserved.
  *
@@ -1042,10 +1042,14 @@ asn1_decode_snmp(unsigned char *buffer,	/* I - Buffer */
 	        case CUPS_ASN1_OCTET_STRING :
 	        case CUPS_ASN1_BIT_STRING :
 	        case CUPS_ASN1_HEX_STRING :
-		    packet->object_value.string.num_bytes = length;
 		    asn1_get_string(&bufptr, bufend, length,
 		                    (char *)packet->object_value.string.bytes,
 				    sizeof(packet->object_value.string.bytes));
+
+                    if (length >= sizeof(packet->object_value.string.bytes))
+		      packet->object_value.string.num_bytes = sizeof(packet->object_value.string.bytes) - 1;
+                    else
+		      packet->object_value.string.num_bytes = length;
 	            break;
 
 	        case CUPS_ASN1_OID :
  • cups/snmp-private.h+3 3 modified
    @@ -1,7 +1,7 @@
 /*
  * Private SNMP definitions for CUPS.
  *
- * Copyright © 2020-2024 by OpenPrinting.
+ * Copyright © 2020-2026 by OpenPrinting.
  * Copyright © 2007-2014 by Apple Inc.
  * Copyright © 2006-2007 by Easy Software Products, all rights reserved.
  *
@@ -58,9 +58,9 @@ typedef enum cups_asn1_e cups_asn1_t;	/**** ASN1 request/object types ****/
 
 typedef struct cups_snmp_string_s	/**** String value ****/
 {
-  unsigned char	bytes[CUPS_SNMP_MAX_STRING];
-					/* Bytes in string */
   unsigned	num_bytes;		/* Number of bytes */
+  unsigned char	bytes[CUPS_SNMP_MAX_STRING + 1];
+					/* Bytes in string */
 } cups_snmp_string_t;
 
 union cups_snmp_value_u			/**** Object value ****/
d7fe0f521ff3

Limit num_bytes for SNMP string values.

https://github.com/OpenPrinting/cupsMichael R SweetApr 13, 2026via nvd-ref
commit
2 files changed · +9 5
  • cups/snmp.c+6 2 modified
    @@ -1,7 +1,7 @@
 /*
  * SNMP functions for CUPS.
  *
- * Copyright © 2020-2024 by OpenPrinting.
+ * Copyright © 2020-2026 by OpenPrinting.
  * Copyright © 2007-2019 by Apple Inc.
  * Copyright © 2006-2007 by Easy Software Products, all rights reserved.
  *
@@ -1014,10 +1014,14 @@ asn1_decode_snmp(unsigned char *buffer,	/* I - Buffer */
 	        case CUPS_ASN1_OCTET_STRING :
 	        case CUPS_ASN1_BIT_STRING :
 	        case CUPS_ASN1_HEX_STRING :
-		    packet->object_value.string.num_bytes = length;
 		    asn1_get_string(&bufptr, bufend, length,
 		                    (char *)packet->object_value.string.bytes,
 				    sizeof(packet->object_value.string.bytes));
+
+                    if (length >= sizeof(packet->object_value.string.bytes))
+		      packet->object_value.string.num_bytes = sizeof(packet->object_value.string.bytes) - 1;
+                    else
+		      packet->object_value.string.num_bytes = length;
 	            break;
 
 	        case CUPS_ASN1_OID :
  • cups/snmp-private.h+3 3 modified
    @@ -1,7 +1,7 @@
 //
 // Private SNMP definitions for CUPS.
 //
-// Copyright © 2020-2024 by OpenPrinting.
+// Copyright © 2020-2026 by OpenPrinting.
 // Copyright © 2007-2014 by Apple Inc.
 // Copyright © 2006-2007 by Easy Software Products, all rights reserved.
 //
@@ -55,9 +55,9 @@ typedef enum cups_asn1_e cups_asn1_t;	// ASN1 request/object types
 
 typedef struct cups_snmp_string_s	// String value
 {
-  unsigned char	bytes[CUPS_SNMP_MAX_STRING];
-					// Bytes in string
   unsigned	num_bytes;		// Number of bytes
+  unsigned char	bytes[CUPS_SNMP_MAX_STRING + 1];
+					// Bytes in string
 } cups_snmp_string_t;
 
 union cups_snmp_value_u			// Object value

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.