CVE-2025-58364
📋 TL;DR
CVE-2025-58364 is a remote denial-of-service vulnerability in OpenPrinting CUPS affecting versions 2.4.12 and earlier. It allows attackers on the local network to crash CUPS and cups-browsed services through unsafe deserialization, causing null pointer dereference. All Linux and Unix-like systems with default CUPS configurations listening for network printers are vulnerable.
💻 Affected Systems
- OpenPrinting CUPS
- cups-browsed
📦 What is this software?
Cups by Openprinting
⚠️ Risk & Real-World Impact
Worst Case
Complete printing service disruption across all affected machines in a network, potentially affecting business operations that rely on printing services.
Likely Case
Temporary denial of printing services on affected systems until services are restarted, with potential for repeated attacks causing sustained disruption.
If Mitigated
Limited to local network impact with proper firewall rules, or no impact if patched or services are not network-accessible.
🎯 Exploit Status
Attack requires network access to CUPS IPP port (631 by default). Exploitation involves crafting malicious printer attribute data to trigger null dereference.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.4.13
Vendor Advisory: https://github.com/OpenPrinting/cups/security/advisories/GHSA-7qx3-r744-6qv4
Restart Required: No
Instructions:
1. Update CUPS to version 2.4.13 or later using your distribution's package manager. 2. For Debian/Ubuntu: sudo apt update && sudo apt upgrade cups. 3. For RHEL/CentOS/Fedora: sudo yum update cups or sudo dnf update cups. 4. Verify the update completed successfully.
🔧 Temporary Workarounds
Firewall IPP Port Blocking
LinuxBlock incoming IPP (port 631) traffic from untrusted networks to prevent remote exploitation
sudo iptables -A INPUT -p tcp --dport 631 -j DROP
sudo iptables -A INPUT -p udp --dport 631 -j DROP
Disable Network Printer Discovery
LinuxConfigure CUPS to not listen for network printers, limiting attack surface to localhost only
sudo cupsctl --no-remote-any
sudo systemctl restart cups
🧯 If You Can't Patch
- Implement strict firewall rules to block IPP port 631 from all untrusted networks
- Disable CUPS network listening entirely if network printing is not required
🔍 How to Verify
Check if Vulnerable:
Check CUPS version: cups-config --version or dpkg -l cups | grep ^iiCheck Version:
cups-config --version || dpkg -l cups 2>/dev/null | grep ^ii | awk '{print $3}' || rpm -q cupsVerify Fix Applied:
Verify version is 2.4.13 or higher: cups-config --version | grep -q '^2\.4\.1[3-9]\|^2\.4\.2\|^2\.[5-9]' && echo 'Patched'📡 Detection & Monitoring
Log Indicators:
- CUPS service crashes in system logs
- Repeated connection attempts to port 631 followed by service failure
- Error messages containing 'null pointer' or 'segmentation fault' in CUPS logs
Network Indicators:
- Unusual traffic patterns to port 631/TCP
- Multiple connection attempts to CUPS service from single source
- Malformed IPP packets targeting printer attributes
SIEM Query:
source="cups" AND ("segmentation fault" OR "null pointer" OR "crashed" OR "terminated")