What are the CUPS Linux printing system vulnerabilities?

Two critical vulnerabilities have been reported in the Linux Common Unix Printing System (CUPS): CVE-2025-58060 (CVSS 7.8) - an authentication bypass vulnerability, and CVE-2025-58364 (CVSS 6.5) - a remote denial-of-service vulnerability. These affect the core CUPS infrastructure installed by default on most Linux distributions.

What is CVE-2025-58060 in CUPS?

CVE-2025-58060 is an authentication bypass vulnerability with CVSS score 7.8 that affects CUPS configurations using non-Basic authentication methods. Attackers can bypass password verification by sending Authorization: Basic headers when the system expects different authentication types, gaining unauthorized access to CUPS administrative functions.

What is CVE-2025-58364 in CUPS?

CVE-2025-58364 is a remote denial-of-service vulnerability with CVSS score 6.5 caused by unsafe deserialization and validation of printer attributes within the libcups library. Attackers can trigger null pointer dereference through crafted printer attribute responses, causing system crashes across local networks.

Which Linux systems are affected by the CUPS vulnerabilities?

The vulnerabilities affect most Linux distributions that have CUPS installed by default, as the printing system automatically listens for network printer announcements. Any system running CUPS that processes network printer communications is potentially vulnerable.

What can attackers do with the CUPS authentication bypass vulnerability?

The CVE-2025-58060 authentication bypass vulnerability allows attackers to access CUPS administrative functions without proper authentication. This potentially enables them to modify printer configurations, access print queues, or execute administrative commands on affected systems.

Are patches available for the CUPS vulnerabilities?

CVE-2025-58060 has been fixed in CUPS version 2.4.13. However, no patches are currently available for CVE-2025-58364, the denial-of-service vulnerability affecting the libcups library.

What network security measures should be implemented for CUPS?

Implement firewall rules to restrict access to IPP port 631, disable the cups-browsed service on systems that don't need automatic printer discovery, and monitor network traffic for suspicious printer attribute responses that could exploit the denial-of-service vulnerability.

What is the impact of the CUPS denial-of-service vulnerability?

CVE-2025-58364 allows attackers to cause system crashes across local networks by sending crafted printer attribute responses that trigger null pointer dereference in the libcups library, potentially disrupting printing services and system availability.

Advisory

Vulnerabilities reported in CUPS system for Linux

published: Sept. 15, 2025

Take action: Finally not an urgent patch. Ideally, if not used disable cups-browsed and plan an update of the cups packages.

Learn More

Two vulnerabilities are reported in the Linux Common Unix Printing System (CUPS). The printing system vulnerabilities affect the core CUPS infrastructure that is installed by default on most Linux distributions and automatically listens for network printer announcements.

Vulnerabilities summary:

CVE-2025-58060 (CVSS score 7.8) - Authentication bypass vulnerability affecting CUPS configurations using non-Basic authentication methods. It allows attackers to bypass password verification by sending Authorization: Basic headers when the system expects different authentication types. This flaw grants unauthorized access to CUPS administrative functions, potentially allowing attackers to modify printer configurations, access print queues, or execute administrative commands.
CVE-2025-58364 (CVSS score 6.5) - Remote denial-of-service vulnerability caused by unsafe deserialization and validation of printer attributes within the libcups library. It allows attackers to trigger a null pointer dereference through crafted printer attribute responses, causing system crashes across local networks.

Network administrators should restrict IPP port 631 access through firewalls and disable the cups-browsed service on systems that don't require automatic printer discovery. For the authentication bypass vulnerability, temporarily reverting to AuthType Basic with strong passwords provides immediate protection until patches become available.

No patches are currently available for CVE-2025-58364, while CVE-2025-58060 has been fixed in CUPS version 2.4.13.

Vulnerabilities reported in CUPS system for Linux