Skip to main content

Red Hat CVE-2026-39316

| EUVDEUVD-2026-19806 MEDIUM
Use After Free (CWE-416)
2026-04-07 security-advisories@github.com
4.0
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.0 MEDIUM
AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
SUSE
6.2 MEDIUM
AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Red Hat
4.0 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

3
EUVD ID Assigned
Apr 07, 2026 - 17:22 euvd
EUVD-2026-19806
Analysis Generated
Apr 07, 2026 - 17:22 vuln.today
CVE Published
Apr 07, 2026 - 17:16 nvd
MEDIUM 4.0

DescriptionGitHub Advisory

OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, a use-after-free vulnerability exists in the CUPS scheduler (cupsd) when temporary printers are automatically deleted. cupsdDeleteTemporaryPrinters() in scheduler/printers.c calls cupsdDeletePrinter() without first expiring subscriptions that reference the printer, leaving cupsd_subscription_t.dest as a dangling pointer to freed heap memory. The dangling pointer is subsequently dereferenced at multiple code sites, causing a crash (denial of service) of the cupsd daemon. With heap grooming, this can be leveraged for code execution.

AnalysisAI

Local denial of service and potential remote code execution in OpenPrinting CUPS 2.4.16 and prior occurs when the scheduler (cupsd) deletes temporary printers without expiring associated subscriptions, leaving dangling pointers in memory that are subsequently dereferenced. An unauthenticated local attacker can crash the cupsd daemon or, with heap grooming techniques, achieve arbitrary code execution on systems running affected CUPS versions.

Technical ContextAI

The vulnerability is a use-after-free (CWE-416) in the CUPS scheduler daemon (cupsd), specifically in the cupsdDeleteTemporaryPrinters() function within scheduler/printers.c. When temporary printers are automatically deleted, the function calls cupsdDeletePrinter() without first expiring subscription objects (cupsd_subscription_t) that reference the printer. This leaves the dest field of subscription structures pointing to freed heap memory. The dangling pointer is later dereferenced at multiple code sites during normal scheduler operation, triggering a crash. With deliberate heap grooming, an attacker can control the freed memory region to achieve code execution. The vulnerability affects the core printing system daemon that runs with elevated privileges on Unix-like systems including Linux.

RemediationAI

Upgrade to a patched version of OpenPrinting CUPS released after version 2.4.16 (specific fix version should be confirmed from the vendor advisory at https://github.com/OpenPrinting/cups/security/advisories/GHSA-pjv5-prqp-46rg). Linux distributions will release patched packages through their standard package managers; users should apply updates via apt, yum, dnf, or equivalent package management tools once available. In the interim, on systems where temporary printers are used, administrators can mitigate exposure by disabling automatic deletion of temporary printers or restricting local access to printer management interfaces if operationally feasible, though these are workarounds pending patch application.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Micro 5.2 Fixed
SUSE Linux Enterprise Micro 5.3 Fixed
SUSE Linux Enterprise Micro 5.4 Fixed

Share

CVE-2026-39316 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy