Linux CUPS Flaw Allows Remote Denial of Service and Authentication Bypass
Two critical security vulnerabilities have been discovered in the Common Unix Printing System (CUPS), a widely used printing subsystem for Unix-like operating systems.
The flaws, designated as CVE-2025-58364 and CVE-2025-58060, expose Linux systems to remote denial-of-service attacks and authentication bypass, potentially affecting millions of Linux machines worldwide.
| CVE | Severity | CVSS Score | Impact | Affected Versions |
| CVE-2025-58364 | Moderate | 6.5 | Remote DoS via null dereference | <2.4.12 |
| CVE-2025-58060 | High | 7.3 | Authentication bypass with AuthType Negotiate | <2.4.13 |
Remote DoS Vulnerability
The first vulnerability, CVE-2025-58364, represents a moderate severity flaw with a CVSS score of 6.5 that enables remote denial-of-service attacks through null pointer dereference.
This vulnerability stems from unsafe deserialization and validation of printer attributes within the libcups library, specifically affecting the combination of IPP_OP_GET_PRINTER_ATTRIBUTES requests and subsequent validation processes.
Security researcher SilverPlate3 discovered that attackers can exploit this flaw by crafting malicious printer attribute responses that trigger null dereference errors in the ippValidateAttributes() function.
The vulnerability occurs when the system processes printer discovery requests, making it particularly dangerous in default Linux configurations where machines automatically listen for network printers. Systems running CUPS versions prior to 2.4.12 are vulnerable, with no patches currently available.
Authentication Bypass
The second vulnerability, CVE-2025-58060, poses a high severity risk with a CVSS score of 7.3, allowing complete authentication bypass when specific authentication configurations are employed.
This flaw affects CUPS installations using AuthType configurations other than Basic authentication, including Negotiate authentication methods commonly deployed in enterprise environments.
Researcher hvenev-insait identified that when CUPS is configured with non-Basic authentication types, the system fails to properly validate passwords in Authorization: Basic headers.
Attackers can exploit this by sending requests with malformed basic authentication credentials, effectively bypassing password verification entirely. This vulnerability affects CUPS versions below 2.4.13, with no patches currently released.
The vulnerabilities present serious security implications for Linux infrastructure. CVE-2025-58364 can be exploited remotely within local network segments, potentially causing widespread service disruptions across entire networks of Linux machines.
Meanwhile, CVE-2025-58060 grants attackers administrative access to printing systems, enabling configuration manipulation and potential lateral movement within compromised networks.
Both vulnerabilities currently lack official patches, leaving system administrators with limited mitigation options beyond network-level protections and service configuration changes.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Post Comment