HP DeskJet 2855e Printer Flaw (CVE-2026-4682) Allows Remote Code Execution as Root
A stack-based buffer overflow in HP DeskJet 2855e printers, disclosed by ZDI and demonstrated at Pwn2Own, lets unauthenticated network-adjacent attackers execute arbitrary code as root.
HP has released a firmware update to address CVE-2026-4682, a critical vulnerability in the DeskJet 2855e printer that was demonstrated at the Pwn2Own hacking contest. The flaw, reported by Team Neodyme and disclosed by the Zero Day Initiative on April 15, 2026, carries a CVSS score of 8.8 and allows unauthenticated, network-adjacent attackers to achieve remote code execution with root privileges.
The vulnerability resides in the printer's handling of SOAP requests, specifically when processing a JobStatusEvent. The software fails to properly validate the length of user-supplied data before copying it to a stack-based buffer, leading to a classic buffer overflow. Because the printer runs services as root, successful exploitation grants the attacker full control over the device, including the ability to modify firmware, intercept print jobs, or pivot to other devices on the network.
HP has issued a firmware update to correct the issue, detailed in advisory HPSBPI04110. The vulnerability was reported to HP on November 6, 2025, and the coordinated public disclosure occurred on April 15, 2026. The ZDI advisory notes that the flaw was demonstrated at Pwn2Own, a premier hacking contest where researchers earn significant bounties for responsibly disclosing zero-day vulnerabilities.
The HP DeskJet 2855e is a widely used consumer all-in-one printer, and while the attack requires network adjacency (AV:A), the lack of authentication needed makes it particularly dangerous in shared or office environments. Printers are often overlooked in security patching cycles, leaving them as attractive entry points for attackers. The CVSS vector (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) underscores the complete compromise of confidentiality, integrity, and availability.
This disclosure highlights the ongoing risk posed by embedded devices in enterprise and home networks. Printers, IoT devices, and other peripherals frequently run outdated firmware and are not subject to the same rigorous patching as servers or endpoints. The Pwn2Own demonstration serves as a reminder that these devices remain a fertile ground for vulnerability research and real-world exploitation.
Organizations using the HP DeskJet 2855e should apply the firmware update immediately. For devices that cannot be patched, network segmentation and strict access controls are recommended to limit exposure. The vulnerability also underscores the importance of including printers in regular vulnerability management and incident response processes.