SB20260205124 - SUSE update for cups
Published: February 5, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 secuirty vulnerabilities.
1) Improper authentication (CVE-ID: CVE-2025-58060)
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to an error in the authentication process when the AuthType is set to a value other than "Basic". A remote attacker can send a request with "Authorization: Basic" header, which lead to the application does not check the password and considers the user authenticated.
2) NULL pointer dereference (CVE-ID: CVE-2025-58364)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error when handling requests. A remote attacker can send specially crafted data to the server and perform a denial of service (DoS) attack.
3) Resource exhaustion (CVE-ID: CVE-2025-58436)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources when handling delays. A local user can send slow messages to cupsd with a delay of 1 byte per second, causing the daemon to consume excessive resources.
4) Out-of-bounds write (CVE-ID: CVE-2025-61915)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input when parsing IPv6 address within the get_addr_and_mask() function. A local user in the lpadmin group can use the cups web UI to change the configuration and crash the daemon.
Remediation
Install update from vendor's website.