HP
CVE-2025-9903
MEDIUM
Severity by source
AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:L
Lifecycle Timeline
2DescriptionCVE.org
Out-of-bounds write vulnerabilities in print processing of Generic Plus PCL6 Printer Driver / Generic Plus UFR II Printer Driver / Generic Plus LIPS4 Printer Driver / Generic Plus LIPSLX Printer Driver / Generic Plus PS Printer Driver / UFRII LT Printer Driver / CARPS2 Printer Driver / Generic FAX Driver / LIPS4 Printer Driver / LIPSLX Printer Driver / UFR II Printer Driver / PS Printer Driver / PCL6 Printer Driver
AnalysisAI
Out-of-bounds write vulnerabilities exist in the print processing functionality of multiple Canon printer drivers, including Generic Plus variants (PCL6, UFR II, LIPS4, LIPSLX, PS) and standalone drivers (UFRII LT, CARPS2, Generic FAX, LIPS4, LIPSLX, UFR II, PS, PCL6). An attacker can exploit these memory corruption flaws via a malicious print job to corrupt memory, potentially leading to code execution or denial of service. The EPSS score of 0.04% (13th percentile) suggests low exploitation probability in the wild, and no active KEV status has been reported, indicating this is not currently being exploited at scale.
Technical ContextAI
The vulnerability class CWE-787 (Out-of-bounds Write) indicates a buffer overflow condition in the print processing pipeline where user-controlled input from print jobs is written beyond allocated memory boundaries. This affects Canon's printer driver ecosystem spanning multiple print languages and protocols: PCL6 (Printer Command Language 6), UFR II (Universal Front-end Roaming), LIPS4 (Line Imaging Printing System), LIPSLX (LIPS with extended capabilities), PS (PostScript), CARPS2 (Canon Advanced Raster Printing System 2), and FAX rendering engines. The vulnerability exists in the input validation or buffer allocation routines that process print job data before transmission to or processing by the printer hardware, allowing attackers to write arbitrary data to memory regions used by the driver process.
Affected ProductsAI
Canon's printer driver portfolio is affected, including Generic Plus PCL6 Printer Driver, Generic Plus UFR II Printer Driver, Generic Plus LIPS4 Printer Driver, Generic Plus LIPSLX Printer Driver, Generic Plus PS Printer Driver, UFRII LT Printer Driver, CARPS2 Printer Driver, Generic FAX Driver, standalone LIPS4 Printer Driver, standalone LIPSLX Printer Driver, standalone UFR II Printer Driver, standalone PS Printer Driver, and standalone PCL6 Printer Driver. Specific version ranges are not detailed in available advisories but Canon has published comprehensive security information via https://canon.jp/support/support-info/250925vulnerability-response, https://psirt.canon/advisory-information/cp2025-005/, and https://www.usa.canon.com/about-us/to-our-customers/cp2025-005-vulnerabilities-remediation-for-certain-printer-drivers-for-production-printers-office-small-office-multifunction-printers-laser-printers. Affected deployments include production printer environments, office multifunction printers, small office printers, and laser printer systems.
RemediationAI
Obtain and deploy the latest Canon printer driver versions from the vendor's security advisory portal at https://psirt.canon/advisory-information/cp2025-005/ or regional support sites such as Canon Europe (https://www.canon-europe.com/support/product-security/) and Canon USA (https://www.usa.canon.com/about-us/to-our-customers/cp2025-005-vulnerabilities-remediation-for-certain-printer-drivers-for-production-printers-office-small-office-multifunction-printers-laser-printers). Prioritize updating driver versions for production printer fleets, office multifunction devices, and network-connected laser printers. As a compensating control, restrict print job submissions to trusted internal sources only via print server access lists and network segmentation, disable network printing from untrusted sources, and monitor print job processing logs for anomalous behavior. Test driver updates in a staging environment before production deployment to ensure compatibility with existing workflows.
A vulnerability in the Cisco Cluster Management Protocol (CMP) processing code in Cisco IOS and Cisco IOS XE Software co
HP ProCurve Manager (PCM) 3.20 and 4.0, PCM+ 3.20 and 4.0, Identity Driven Manager (IDM) 4.0, and Application Lifecycle
Unspecified vulnerability in HP Storage Data Protector 8.x allows remote attackers to execute arbitrary code via unknown
Directory traversal vulnerability in CommunicationServlet in HP Service Virtualization 3.x before 3.50.1, when the AutoP
Multiple unspecified vulnerabilities in HP SiteScope 11.20 and 11.21, when SOAP is used, allow remote attackers to execu
UpdateDomainControllerServlet in the SNAC registration server in HP ProCurve Manager (PCM) 3.20 and 4.0, PCM+ 3.20 and 4
Unspecified vulnerability in HP LoadRunner before 11.52 allows remote attackers to execute arbitrary code via unknown ve
Unspecified vulnerability in HP Operations Agent before 11.03.12 allows remote attackers to execute arbitrary code via u
Unspecified vulnerability in HP Storage Data Protector 6.20, 6.21, 7.00, and 7.01 allows remote attackers to execute arb
Unspecified vulnerability in HP Network Node Manager i (NNMi) 9.0x, 9.1x, and 9.2x allows remote attackers to execute ar
Unspecified vulnerability in HP Storage Data Protector 6.2X allows remote attackers to execute arbitrary code or cause a
The Backup Client Service (OmniInet.exe) in HP Storage Data Protector 6.2X allows remote attackers to execute arbitrary
Same weakness CWE-787 – Out-of-bounds Write
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today