CVE-2024-47176 — CUPS cups-browsed unauthenticated RCE chain
A long-running CUPS helper, cups-browsed, listens on UDP 631 with no authentication and will fetch a printer description from any host that announces one. Chained with three sibling CVEs in libcupsfilters, libppd and foomatic-rip, a single UDP packet can register a malicious printer whose use triggers command execution as the printing user. NVD scores this individual link Medium (5.3) — the danger is the composite chain, which research consensus rates Critical (~9.8) when all four links land together.
TL;DR
- Disclosed 2024-09-26 by Simone Margaritelli (evilsocket); four chained CVEs, of which CVE-2024-47176 is the network-facing entry point.
cups-browsedbinds UDP 631 on0.0.0.0by default in older configurations; sending a crafted IPP "browse" packet makes it fetch attacker-controlled PPD data from a URL of the attacker's choosing.- Chained outcome: a remote, unauthenticated attacker on the same broadcast domain (or any network that can reach UDP 631) can register a printer; when a user prints to it — or in some configurations automatically —
foomatic-ripcommand injection runs arbitrary shell as the printing user. - Affected: most Linux distributions that ship the CUPS browsing stack and have
cups-browsedrunning. Servers in homelabs frequently have it enabled even when no printer is attached. - Fix: install the vendor security update from late 2024 (Debian, Ubuntu, RHEL family, Rocky and AlmaLinux all shipped patches in October 2024); if you don't need network printer discovery, disable and mask
cups-browsed; firewall UDP 631 inbound from anything you don't trust. - Widely tracked and prioritised by patch-management vendors; high public-PoC availability since disclosure.
At a glance
| CVE ID | CVE-2024-47176 |
|---|---|
| Severity (this CVE alone) | Medium (NVD CVSS 5.3) |
| Chained severity | Critical — pre-auth RCE on a printing host (when chained with CVE-2024-47076 / -47175 / -47177) |
| CVSS vector (this CVE in isolation) | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N (NVD); chained impact is C:H/I:H/A:H |
| CWE | CWE-1327 (Binding to an Unrestricted IP Address) |
| Sibling CVEs in the chain | CVE-2024-47076 (libcupsfilters), CVE-2024-47175 (libppd), CVE-2024-47177 (foomatic-rip command injection) |
| Affected component | cups-browsed (network printer auto-discovery daemon) |
| Default port / protocol | UDP 631 (IPP browse) |
| User interaction required | Print job to the malicious printer (some configurations register and auto-use without UI) |
| Published | 2024-09-26 |
| Last updated (NVD) | 2024-10-15 |
Affected versions and fix paths
Every mainstream Linux distribution that ships the CUPS browsing
stack shipped a patched cups-browsed in October 2024.
Exact package versions vary by distro; the column below points to
the published advisory rather than memorising a build number,
because all four sibling CVEs are addressed in the same vendor
update.
| Package / distro | Vulnerable | Fixed by |
|---|---|---|
| Debian 12 (bookworm) | cups-browsed prior to the October 2024 DSA update | Debian security update (DSA) from October 2024 |
| Debian 11 (bullseye, LTS) | cups-browsed prior to the October 2024 LTS update | Debian LTS update from October 2024 |
| Ubuntu 24.04 / 22.04 / 20.04 | cups-browsed prior to the late-2024 Ubuntu security update | Ubuntu Security Notice from late September / October 2024 |
| Rocky / AlmaLinux 9 | cups-filters / cups-browsed prior to the October 2024 errata | Vendor errata (RHSA-equivalent) from October 2024 |
| Rocky / AlmaLinux 8 | cups-filters / cups-browsed prior to the October 2024 errata | Vendor errata from October 2024 |
| Fedora 40 / 41 | cups-filters prior to the October 2024 update | Fedora security update from October 2024 |
| openSUSE Leap / Tumbleweed | cups-filters prior to the October 2024 update | openSUSE security update from October 2024 |
| Arch Linux | cups-filters before the rolling update of 2024-09-27 | cups-filters 2.0.x from the Arch repos (late September 2024) |
Distro-specific advisory IDs and the exact fixed package version per release are tracked on the Noxen Debian 12, Debian 11, Ubuntu 24.04, Ubuntu 22.04, Ubuntu 20.04, Rocky 9, Rocky 8, AlmaLinux 9 and AlmaLinux 8 per-distro pages — the daily feed keeps those in sync.
The four-CVE chain
No single CVE in this set is critical on its own. The risk lives in the chain. Each link reduces the attacker's required capability by one step:
- CVE-2024-47176 —
cups-browsedtrusts unauthenticated UDP 631 packets. The browse daemon accepts IPP browse requests from any source address and will contact an attacker-controlled URL to fetch a printer description. This is the network-facing entry point. - CVE-2024-47076 —
libcupsfiltersdoes not sanitise the IPP attributes returned from that URL. Attacker-controlled IPP attributes flow into the printer configuration that gets handed to the print pipeline. - CVE-2024-47175 —
libppdwrites those attributes verbatim into the generated PPD file. Including fields that downstream filters interpret as shell commands. - CVE-2024-47177 —
foomatic-rip'sFoomaticRIPCommandLinedirective is a command injection. When a user prints to the registered printer,foomatic-ripevaluates that directive and executes the attacker's payload as the printing user.
The chain weaponises a quirk that is otherwise mundane: CUPS is designed to discover printers on a LAN, and printer descriptions legitimately contain configuration that the filter pipeline executes. The bug is that none of the four links validate the source of those instructions.
Quick scan check
Three commands answer "is this host exposed?" in seconds. Run on every Linux box that has CUPS installed (or that you're not sure about):
# Is cups-browsed listening?
ss -ulnp | grep :631
# Is the service enabled and running?
systemctl status cups-browsed 2>/dev/null | head -3
# What version is installed?
dpkg -l cups-browsed cups-filters 2>/dev/null # Debian / Ubuntu
rpm -q cups-filters cups-browsed 2>/dev/null # RHEL family
# Quick "is the patch in?" sanity check on Debian/Ubuntu
apt-cache policy cups-browsed | head -4
A host that prints UNCONN 0 0 0.0.0.0:631 ... cups-browsed
on the first command is listening to UDP 631 on every interface,
including any LAN you don't fully trust. Compare the installed
version against the per-distro CVE pages above to decide whether
the patch is in.
What Noxen does about this
Noxen handles CVE-2024-47176 on two axes:
- Admin-surface detection.
cups-browsedlistening on UDP 631 is part of Noxen's admin-surface catalogue — any host where the daemon is bound to a non-loopback interface gets flagged regardless of patch state, because the configuration itself is the risk. Even fully patchedcups-browsedis a printer-management surface that most homelabs don't need on the LAN. - Version-matched CVE finding. The
package-manifest probe captures
cups-browsedandcups-filtersversions over SSH and matches them against the daily-refreshed feed. Hosts running an unpatched version surface CVE-2024-47176 (and its three siblings) with a critical-severity finding and a one-line remediation: install the vendor security update from late 2024, or disable and mask the service if you don't need network printer discovery.
The deep-dive
For the narrative walkthrough — how a UDP packet becomes RCE, why this matters more in homelabs than enterprises, and the bigger pattern of "mDNS responders on untrusted LANs" that this bug sits inside — read CUPS exposed on your LAN — the September 2024 CVE chain on the Noxen blog.
Authoritative sources
- NVD entry for CVE-2024-47176
- cve.org record
- NVD entry for CVE-2024-47076 (libcupsfilters)
- NVD entry for CVE-2024-47175 (libppd)
- NVD entry for CVE-2024-47177 (foomatic-rip)
- FIRST EPSS API for CVE-2024-47176
See what Noxen does about CVEs like this → More on CVE management →