Zero-day RCE vulnerability found in CUPS - Common UNIX Printing System

On September 27, 2024, a zero-day vulnerability was discovered in the Common UNIX Printing System (CUPS), which can allow for arbitrary remote code execution (RCE). There are currently four CVEs associated with these findings, with potentially more on the way. The severity of these vulnerabilities is debated, but one has been assigned a CVSS score of 9.9. These vulnerabilities impact downstream packages cups-browsed, libcupsfilters, cups-filters, and libppd. CUPS has been part of UNIX and Linux operating systems since 1999 and is widely distributed with many UNIX and Linux distributions, Apple, Windows, and other operating systems. Snyk can detect the vulnerabilities in both Snyk Open Source and Snyk Container, providing guidance on remediation and prioritization of fixes.