Safeguard.sh
Vulnerability Analysis

CUPS Vulnerability Chain: Remote Code Execution via Linux Printing

A chain of vulnerabilities in the CUPS printing system allows unauthenticated attackers to achieve remote code execution on Linux systems by exploiting how printers are discovered and configured.

Shadab Khan
Security Analyst
7 min read

On September 26, 2024, security researcher Simone Margaritelli (evilsocket) publicly disclosed a chain of vulnerabilities in the Common UNIX Printing System (CUPS) that allows unauthenticated remote code execution on Linux and other UNIX-like systems. The disclosure followed weeks of intense speculation in the security community, with some initial rumors suggesting a "CVSS 9.9 Linux RCE" that would rival the severity of Log4Shell.

The reality, while serious, was more nuanced than the initial hype suggested. The vulnerabilities are real and exploitable, but the attack requires specific conditions that limit its widespread applicability.

The Vulnerability Chain

Four CVEs make up the CUPS vulnerability chain:

CVE-2024-47176 (cups-browsed): The cups-browsed service, which handles automatic printer discovery, binds to UDP port 631 on all interfaces (0.0.0.0:631) and trusts any incoming printer advertisement packet. An attacker can send a specially crafted packet to this port advertising a malicious "printer."

CVE-2024-47076 (libcupsfilters): When processing the malicious printer advertisement, libcupsfilters does not validate or sanitize the printer attributes received from the attacker, allowing attacker-controlled values to flow into the printer configuration.

CVE-2024-47175 (libppd): The PPD (PostScript Printer Description) file generated for the malicious printer does not properly sanitize attacker-controlled attributes, allowing injection of arbitrary directives into the PPD file.

CVE-2024-47177 (cups-filters): The FoomaticRIPCommandLine directive in the PPD file is processed by the foomatic-rip filter, which executes it as a shell command. This is the actual code execution point.

The Attack Flow

  1. The attacker sends a UDP packet to port 631 on a target system where cups-browsed is running and listening on a public interface.
  2. The packet advertises a malicious IPP (Internet Printing Protocol) printer, including attacker-controlled attributes in the printer URI and other fields.
  3. cups-browsed accepts the advertisement and contacts the attacker's malicious IPP server to retrieve printer details.
  4. The attacker's IPP server responds with crafted attributes that, through CVE-2024-47076 and CVE-2024-47175, inject a FoomaticRIPCommandLine directive containing arbitrary shell commands into the PPD file.
  5. The malicious printer appears in the target system's printer list.
  6. When any user on the system prints a document to the malicious printer (or if the attacker can trigger a print job), the foomatic-rip filter executes the injected command with the privileges of the CUPS service.

The critical detail is step 6: the attacker-controlled code only executes when someone prints to the malicious printer. The initial UDP packet adds the printer, but code execution requires a subsequent print job. This two-step nature significantly limits the practical severity compared to a one-shot RCE.

Severity Assessment

The initial hype suggested CVSS 9.9, but the actual severity depends heavily on context:

High risk if:

  • cups-browsed is running and listening on a public interface (check with ss -ulnp | grep 631).
  • The system is a print server that regularly processes print jobs.
  • The attacker can socially engineer a user into printing to the malicious printer.

Lower risk if:

  • cups-browsed is not running (it is not enabled by default on many modern distributions).
  • UDP port 631 is not accessible from attacker-controlled networks (firewall rules block it).
  • No one prints to the malicious printer (the vulnerability sits dormant until triggered).

Most modern Linux server deployments do not have cups-browsed running. It is primarily found on desktop Linux installations and print servers. Cloud-hosted Linux VMs and containerized workloads are generally unaffected because CUPS is not typically installed.

The Disclosure Drama

The disclosure process for these vulnerabilities was unusually contentious. Margaritelli reported the vulnerabilities to the affected maintainers and to CERT/CC in early September 2024. He expressed frustration with the response, stating that the maintainers initially disputed the severity and were slow to develop patches.

Ahead of the planned disclosure date, details began leaking on social media, with security researchers speculating about the severity based on partial information. This created a cycle of hype that set unrealistic expectations about the impact.

When the full details were published, some in the community felt the vulnerabilities were overhyped due to the two-step nature of the exploit and the limited default exposure. Others argued that the underlying code quality issues in CUPS (decades-old code with insufficient input validation) represented a systemic risk that deserved attention.

Both perspectives have merit. The individual vulnerability chain may not be the next Log4Shell, but the fact that a printing system trusted arbitrary network input without validation, and that this trust could lead to code execution, reveals architectural assumptions that predate the modern threat landscape.

Affected Systems and Mitigation

Check if you are vulnerable:

# Check if cups-browsed is running
systemctl status cups-browsed

# Check if UDP port 631 is listening on all interfaces
ss -ulnp | grep 631

Immediate mitigations:

  1. Disable and stop cups-browsed if it is not needed:

    sudo systemctl stop cups-browsed
sudo systemctl disable cups-browsed

  2. Block UDP port 631 at the firewall level if cups-browsed must remain running:

    sudo ufw deny from any to any port 631 proto udp

  3. Update CUPS packages when patches are available from your distribution. Ubuntu, Debian, RHEL, and SUSE released patches in late September and early October 2024.

  4. Remove the foomatic-rip filter if it is not needed. This eliminates the code execution path regardless of whether the other vulnerabilities are exploited:

    sudo rm /usr/lib/cups/filter/foomatic-rip

Longer-term recommendations:

  • Audit which systems in your environment have CUPS installed and cups-browsed running. This may reveal systems where printing services were installed by default but are not actually needed.
  • For dedicated print servers, restrict cups-browsed to listening only on trusted management interfaces, not all interfaces.
  • Consider whether mDNS/DNS-SD printer discovery (the alternative to cups-browsed) better suits your environment.

The Bigger Issue: Legacy UNIX Services

The CUPS vulnerability chain is a reminder that many UNIX/Linux systems ship with services that were designed in a different era. CUPS dates back to 1999. The foomatic-rip filter has executed commands from PPD files for decades. The assumption was that printers on your network were trusted devices, not potential attack vectors.

Other legacy UNIX services with similar trust assumptions include:

  • NFS (Network File System): Often configured with trust based on IP addresses rather than strong authentication.
  • SNMP: SNMPv1 and v2c use community strings (effectively passwords) transmitted in cleartext.
  • rpcbind/portmapper: Exposes information about running RPC services to anyone who asks.
  • X11: The X Window System's network transparency was designed without authentication.

As organizations harden their Linux infrastructure, a systematic review of legacy network services, their trust models and their exposure, is essential.

How Safeguard.sh Helps

The CUPS vulnerability chain illustrates why knowing what software is running in your environment matters.

  • SBOM-based component inventory identifies every instance of CUPS, cups-browsed, and foomatic-rip across your infrastructure, including systems where these components were installed as default packages but are not actively needed.
  • Vulnerability mapping correlates published CVEs to specific package versions in your environment, enabling rapid triage of which systems are actually affected.
  • Configuration risk assessment identifies services with dangerous default configurations, such as network services binding to all interfaces, helping you harden your environment proactively.
  • Attack surface reduction helps you identify and remove unnecessary software components, reducing the number of potential vulnerability targets across your infrastructure.

You cannot secure what you do not know exists. When a vulnerability drops in a printing system, you need to know which of your 500 servers have CUPS installed in under 60 seconds.

cupslinux-securityremote-code-execution
Back to all articles

More on #cups

View all →
Vulnerability Analysis

CUPS CVE-2024-47176: Network RCE via IPP

7 min read

Related articles in Vulnerability Analysis

Vulnerability Analysis

CVE-2024-4367 PDF.js Arbitrary Code Execution

CVE-2024-4367 is a PDF.js code-execution flaw via font handling that affects Firefox, Thunderbird, and every embedder. Root cause and remediation.

March 14, 2026Read
Vulnerability Analysis

CVE-2025-24071 Windows Explorer NTLM Hash Leak

A .library-ms file extracted from a zip archive can leak NTLM hashes without the user opening anything. Breakdown of CVE-2025-24071 and the defensive response.

March 12, 2026Read
Vulnerability Analysis

CVE-2024-29849 Veeam Auth Bypass Analysis

CVE-2024-29849 is a CVSS 9.8 auth bypass in Veeam Backup Enterprise Manager. Root cause, exploitation, detection, and patching guidance.

March 10, 2026Read

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.