CVE-2025-57812
📋 TL;DR
This vulnerability allows an attacker to trigger out-of-bounds memory read/write operations by submitting a malicious TIFF file through a print job with specific options. It affects CUPS-Filters versions up to 1.28.17 and libcupsfilters versions 2.0.0 through 2.1.1, potentially impacting any system using these libraries for printing.
💻 Affected Systems
- CUPS-Filters
- libcupsfilters
📦 What is this software?
Cups Filters by Openprinting
Libcupsfilters by Openprinting
⚠️ Risk & Real-World Impact
Worst Case
Arbitrary code execution leading to system compromise, privilege escalation, or denial of service through memory corruption.
Likely Case
Application crash (denial of service) or information disclosure through memory reads.
If Mitigated
Limited impact due to memory corruption being contained within the filter process.
🎯 Exploit Status
Requires ability to submit print jobs with crafted TIFF files and specific print options to control bytes-per-pixel value.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: libcupsfilters ≥ commit b69dfacec7f176281782e2f7ac44f04bf9633cfa
Vendor Advisory: https://github.com/OpenPrinting/libcupsfilters/security/advisories/GHSA-jpxg-qc2c-hgv4
Restart Required: Yes
Instructions:
1. Update CUPS-Filters or libcupsfilters to patched version. 2. For distributions: Use package manager (apt/yum/dnf) to update cups-filters or libcupsfilters packages. 3. Restart CUPS service: sudo systemctl restart cups
🔧 Temporary Workarounds
Disable TIFF processing
linuxRemove or disable imagetoraster filter to prevent TIFF processing
sudo mv /usr/lib/cups/filter/imagetoraster /usr/lib/cups/filter/imagetoraster.disabled
Restrict print job submission
linuxLimit who can submit print jobs via CUPS configuration
Edit /etc/cups/cupsd.conf to restrict access to print queues
🧯 If You Can't Patch
- Disable network printing or restrict to trusted users only
- Implement network segmentation to isolate print servers
🔍 How to Verify
Check if Vulnerable:
Check installed version: rpm -q cups-filters libcupsfilters or dpkg -l cups-filters libcupsfiltersCheck Version:
cups-config --version || cups-filters --version || rpm -q --queryformat='%{VERSION}' cups-filtersVerify Fix Applied:
Verify version is above vulnerable ranges: CUPS-Filters > 1.28.17 or libcupsfilters > 2.1.1📡 Detection & Monitoring
Log Indicators:
- CUPS error logs showing imagetoraster crashes
- Failed print jobs with TIFF files
Network Indicators:
- Unusual print job submissions to CUPS servers
- TIFF files in print job data
SIEM Query:
source="cups" AND ("imagetoraster" OR "TIFF") AND (error OR crash)🔗 References
- https://github.com/OpenPrinting/cups-filters/blob/3c58463e341b12c9d30d7d3807d2bac1bc595a78/cupsfilters/image-tiff.c#L34
- https://github.com/OpenPrinting/cups-filters/blob/3c58463e341b12c9d30d7d3807d2bac1bc595a78/filter/imagetoraster.c#L613
- https://github.com/OpenPrinting/libcupsfilters/blob/33421982e10f6a14bc0bab03b80c9cf4660e8d7d/cupsfilters/image-tiff.c#L32
- https://github.com/OpenPrinting/libcupsfilters/commit/b69dfacec7f176281782e2f7ac44f04bf9633cfa
- https://github.com/OpenPrinting/libcupsfilters/security/advisories/GHSA-jpxg-qc2c-hgv4
- http://www.openwall.com/lists/oss-security/2025/11/12/1
