Analysis Summary

Two critical vulnerabilities have been uncovered in the Linux Common Unix Printing System (CUPS), potentially affecting millions of Linux-based systems that rely on it for printing services. Tracked as CVE-2025-58364 and CVE-2025-58060, the flaws expose systems to remote denial-of-service (DoS) attacks and authentication bypass exploits. Since CUPS is deeply integrated across enterprise and home Linux environments, these vulnerabilities pose significant risks to both service availability and access control.

The first issue, CVE-2025-58364, is a moderate-severity DoS vulnerability (CVSS 6.5) caused by unsafe deserialization and improper validation of printer attributes in the libcups library. Exploitation occurs within the ipp_read_io() function when handling IPP_OP_GET_PRINTER_ATTRIBUTES requests, leading to null pointer dereferences. Attackers with adjacent network access can crash CUPS services across local subnets, especially in systems running the cups-browsed service, which automatically discovers network printers. This flaw impacts all CUPS versions below 2.4.12, with no official patch available yet.

The second vulnerability, CVE-2025-58060, is more severe with a CVSS score of (High) and enables an authentication bypass. It affects systems configured with AuthType Negotiate or other non-Basic authentication methods. Due to a flaw in the cupsdAuthorize() function, attackers can bypass authentication simply by sending an Authorization: Basic header, even when stronger authentication mechanisms like Kerberos or LDAP are configured. This grants unauthorized users administrative access, allowing them to manipulate configurations, manage print queues, and execute privileged actions.

Mitigation requires immediate defensive measures since patches are not yet available. For the DoS flaw, administrators should restrict access to IPP port 631 via firewalls and disable the cups-browsed service where automatic printer discovery is unnecessary. For the authentication bypass, temporarily reverting to AuthType Basic with strong passwords offers a practical workaround until official patches are released. Organizations should closely monitor the OpenPrinting project repository for fixes and apply them as soon as updates become available, while enforcing strict network segmentation and access control to reduce exploitation risks.

Impact

• Denial of Service
• Security Bypass

Indicators of Compromise

CVE

• CVE-2025-58364

• CVE-2025-5806

Affected Vendors

Remediation

• Restrict access to IPP port 631 using firewalls to limit exposure.
• Disable the cups-browsed service on systems that don’t require automatic printer discovery.
• For authentication bypass protection, temporarily switch to AuthType Basic and enforce strong, unique passwords.
• Limit network access to CUPS services only to trusted subnets and users.
• Monitor the OpenPrinting project repository for security updates and apply patches immediately once available.
• Regularly audit and review CUPS configurations to ensure only required authentication methods and services are enabled.