Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Kept AV:N/PR:N because a network-exposed CUPS queue can accept crafted jobs unauthenticated, and code execution in the filter yields full C/I/A impact; AV:N is the worst-case and assumes network printing is enabled.
Primary rating from Vendor (redhat).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionNVD
A flaw was found in HPLIP (HP Linux Imaging and Printing Software). This vulnerability, an incomplete fix for CVE-2026-8631, may allow a remote attacker to escalate privileges or achieve arbitrary code execution. This can occur through an integer overflow in the hpcups processing path when handling specially crafted print data.
AnalysisAI
Remote code execution and privilege escalation in HPLIP (HP Linux Imaging and Printing) affects the hpcups print filter across Red Hat Enterprise Linux 6 through 10, where an integer overflow triggered by specially crafted print data can corrupt memory. This is an incomplete-fix follow-up to CVE-2026-8631, meaning the original patch did not fully close the flaw, and no public exploit has been identified at time of analysis. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that a specially crafted print job reach the hpcups filter - i.e., a CUPS print queue configured with the HPLIP/hpcups driver for an HP device must process the attacker's raster/print data. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals are partially conflicting and should be weighed rather than taken at face value. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a malicious print job whose raster/print data contains size fields engineered to trigger the integer overflow in hpcups, then submits it to a CUPS queue that uses the HPLIP driver - either directly on a shared/network-exposed print server or by luring a user to print attacker-supplied content. When hpcups processes the job, the overflow corrupts memory in the filter process, potentially yielding code execution in the print filter's context. … |
| Remediation | No exact fixed HPLIP version is present in the provided data, so treat patch status as: patch tracked per vendor advisory but released fixed version not independently confirmed - monitor https://access.redhat.com/security/cve/CVE-2026-14544 and apply the HPLIP errata update for your RHEL release as soon as it is published, prioritizing this because the prior fix (CVE-2026-8631) was incomplete. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all RHEL systems (versions 6, 7, 8, 9, 10) running HPLIP and identify network-exposed CUPS instances; disable CUPS daemon where operationally unnecessary. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Red Hat Enterprise Linux 10
View allRemote code execution in Cockpit's web interface allows unauthenticated attackers to execute arbitrary commands on the h
Remote code execution in Samba's printing subsystem allows remote attackers to inject arbitrary shell commands via craft
HTTP request smuggling in Undertow (the embedded web server underpinning JBoss EAP, Red Hat Data Grid, and Apache Camel
HTTP request smuggling in Red Hat Undertow allows remote unauthenticated attackers to bypass front-end security controls
Out-of-bounds read in the GnuTLS DTLS handshake reassembly logic lets remote unauthenticated attackers trigger an intege
HTTP request smuggling in Undertow allows remote unauthenticated attackers to send `\r\r\r` as a header block terminator
Heap buffer overflow in GStreamer's librfb (RFB/VNC client) allows a malicious VNC server to corrupt heap memory on a co
Information disclosure and denial of service in GnuTLS (libgnutls) let a remote, unauthenticated attacker trigger a heap
Remote denial-of-service in libssh 0.11.x and earlier allows unauthenticated attackers to crash SSH server daemon proces
Out-of-bounds read in Corosync allows unauthenticated remote attackers to crash cluster nodes and potentially leak memor
Here is the multi-source synthesis as a single JSON object: ```json { "product_name": "GnuTLS", "summary": "Certifi
Heap buffer overflow in GNOME localsearch (formerly tracker-miners) tracker-extract-mp3 component on Red Hat Enterprise
Same weakness CWE-190 – Integer Overflow or Wraparound
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41515
GHSA-vwpr-fv2p-8c56