CUPS Flaws Allow Linux Remote DoS (CVE-2025-58364) and Authentication Bypass (CVE-2025-58060)

OpenPrinting has released patches addressing two significant security flaws in the Common Unix Printing System (CUPS), a widely used open-source printing service for Linux and Unix-like operating systems. The vulnerabilities, tracked as CVE-2025-58364 and CVE-2025-58060, affect multiple versions of CUPS and cups-browsed, exposing systems to remote denial-of-service (DoS) attacks and authentication bypasses.

The advisory describes CUPS as “a standards-based, open source printing system for Linux and other Unix-like operating systems,” making these flaws relevant to countless users across enterprise, education, and government environments.

CVE-2025-58364: Remote DoS via Null Dereference

This flaw, rated CVSS 6.5 (Medium severity), stems from unsafe deserialization and validation of printer attributes within the libcups library.

According to the advisory, “An unsafe deserialization and validation of printer attributes, causes null dereference in libcups library.”

Attackers on the same subnet can craft malicious responses to exploit this error. Specifically, the issue occurs due to a logic bug in ipp_read_io(), which leads ippValidateAttributes() to dereference a null pointer. The advisory notes: “This can happen if an attacker responds with a crafted printer attributes response.”

Impact:

• Affects all machines listening for printers on the local network.
• Can cause cups and cups-browsed to crash, disrupting printing services across Linux desktops and servers.
• Systems exposed to the internet (with older unfixed vulnerabilities) could potentially be attacked remotely.

CVE-2025-58060: Authentication Bypass with AuthType Negotiate

The second flaw is more severe, rated CVSS 8.0 (High). It enables attackers to bypass authentication under certain configurations.

The advisory explains: “When the AuthType is set to anything but Basic, if the request contains an Authorization: Basic … header, the password is not checked.”

In practice, this means that an attacker can send a specially crafted request and gain unauthorized access without providing valid credentials.

Impact:

• Direct authentication bypass in CUPS.
• Affects any system where CUPS is configured with AuthType values other than Basic.
• Could allow attackers to perform administrative actions on printers, queues, and print jobs.

Affected and Patched Versions

• CVE-2025-58364 affects CUPS <2.4.12. Fixed in CUPS 2.4.14.
• CVE-2025-58060 affects CUPS <2.4.13. Fixed in CUPS 2.4.14.

Administrators are strongly advised to upgrade to CUPS 2.4.14 or later.

Related Posts:

• CUPS Exploit Turns Common Devices into DDoS Weapons
• Critical CUPS Vulnerabilities Expose Linux and Other Systems to Remote Attacks
• Researcher Releases Open-Source Scanner for CVE-2024-47176 CUPS Vulnerability
• Windows 11 Printing Problems: Microsoft Confirms Spontaneous Printing Bug