{
  "threat_severity" : "Moderate",
  "public_date" : "2025-11-28T00:00:00Z",
  "bugzilla" : {
    "description" : "CUPS: Local denial-of-service via cupsd.conf update and related issues",
    "id" : "2416039",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2416039"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.0",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-1173",
  "details" : [ "OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. Prior to version 2.4.15, a user in the lpadmin group can use the cups web ui to change the config and insert a malicious line. Then the cupsd process which runs as root will parse the new config and cause an out-of-bound write. This issue has been patched in version 2.4.15.", "A flaw was found in cups. A user in group defined by SystemGroup directive in /etc/cups/cups-files.conf can use the cups web ui to change the config \nand insert a malicious line. Then the cupsd process which runs as root will parse the new config and  cause an out-of-bound write." ],
  "statement" : "The highest threat of this flaw is to system availability. A local attacker with high privileges, specifically a user belonging to the `SystemGroup` as defined in `/etc/cups/cups-files.conf`, could exploit the CUPS web interface to introduce a malicious configuration line into `cupsd.conf`, leading to a denial of service.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2026-01-12T00:00:00Z",
    "advisory" : "RHSA-2026:0464",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.1",
    "package" : "cups-1:2.4.10-12.el10_1.2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2026-01-14T00:00:00Z",
    "advisory" : "RHSA-2026:0596",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "cups-1:2.2.6-66.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2026-01-14T00:00:00Z",
    "advisory" : "RHSA-2026:0596",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "cups-1:2.2.6-66.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2026-01-08T00:00:00Z",
    "advisory" : "RHSA-2026:0312",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "cups-1:2.3.3op2-34.el9_7.2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2026-01-08T00:00:00Z",
    "advisory" : "RHSA-2026:0312",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "cups-1:2.3.3op2-34.el9_7.2"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Will not fix",
    "package_name" : "cups",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Will not fix",
    "package_name" : "cups",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Will not fix",
    "package_name" : "rhcos",
    "cpe" : "cpe:/a:redhat:openshift:4"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-61915\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-61915" ],
  "name" : "CVE-2025-61915",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}