{"id":"CVE-2025-58436","summary":"OpenPrinting CUPS slow client can halt cupsd, leading to a possible DoS attack","details":"OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. Prior to version 2.4.15, a client that connects to cupsd but sends slow messages, e.g. only one byte per second, delays cupsd as a whole, such that it becomes unusable by other clients. This issue has been patched in version 2.4.15.","aliases":["GHSA-8wpw-vfgm-qrrr"],"modified":"2026-04-30T16:51:27.057191Z","published":"2025-11-29T02:15:53.252Z","related":["ALSA-2026:0312","ALSA-2026:0464","ALSA-2026:0596","SUSE-SU-2025:4290-1","SUSE-SU-2025:4319-1","SUSE-SU-2025:4425-1","SUSE-SU-2026:20229-1","SUSE-SU-2026:20231-1","SUSE-SU-2026:20528-1","SUSE-SU-2026:20535-1","openSUSE-SU-2026:10088-1","openSUSE-SU-2026:20172-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/58xxx/CVE-2025-58436.json","cwe_ids":["CWE-400"],"cna_assigner":"GitHub_M"},"references":[{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2025/11/27/4"},{"type":"WEB","url":"https://github.com/OpenPrinting/cups/releases/tag/v2.4.15"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/58xxx/CVE-2025-58436.json"},{"type":"ADVISORY","url":"https://github.com/OpenPrinting/cups/security/advisories/GHSA-8wpw-vfgm-qrrr"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-58436"},{"type":"FIX","url":"https://github.com/OpenPrinting/cups/commit/40008d76a001babbb9beb9d9d74b01a86fb6ddb4"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/openprinting/cups","events":[{"introduced":"0"},{"fixed":"433af45db06759081d4f3cd606e08ca634fc490a"},{"fixed":"40008d76a001babbb9beb9d9d74b01a86fb6ddb4"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"2.4.15"}]}}],"versions":["v2.2.0","v2.2.1","v2.2.2","v2.2.3","v2.2.4","v2.2.5","v2.2.6","v2.2b1","v2.2b2","v2.2rc1","v2.3.0","v2.3.1","v2.3.3","v2.3.3op1","v2.3.3op2","v2.3b1","v2.3b2","v2.3b3","v2.3b4","v2.3b5","v2.3b6","v2.3b7","v2.3b8","v2.3rc1","v2.4.0","v2.4.1","v2.4.10","v2.4.11","v2.4.12","v2.4.13","v2.4.14","v2.4.2","v2.4.3","v2.4.4","v2.4.5","v2.4.6","v2.4.7","v2.4.8","v2.4.9","v2.4b1","v2.4rc1"],"database_specific":{"vanir_signatures":[{"deprecated":false,"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["76580982592754540176721867738932825098","190981950243515492771567476796405008105","241900447263142149710300279178902025919"]},"id":"CVE-2025-58436-00373401","target":{"file":"scheduler/select.c"},"signature_version":"v1","source":"https://github.com/openprinting/cups/commit/40008d76a001babbb9beb9d9d74b01a86fb6ddb4"},{"deprecated":false,"signature_type":"Function","digest":{"function_hash":"13964595530112761719741095840615189618","length":6841},"id":"CVE-2025-58436-20fd7485","target":{"function":"_httpTLSStart","file":"cups/tls-openssl.c"},"signature_version":"v1","source":"https://github.com/openprinting/cups/commit/40008d76a001babbb9beb9d9d74b01a86fb6ddb4"},{"deprecated":false,"signature_type":"Function","digest":{"function_hash":"21005017830707045656850060399595820854","length":4457},"id":"CVE-2025-58436-25bc207f","target":{"function":"httpRead2","file":"cups/http.c"},"signature_version":"v1","source":"https://github.com/openprinting/cups/commit/40008d76a001babbb9beb9d9d74b01a86fb6ddb4"},{"deprecated":false,"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["95200110946963419759778017192610222268","9662844345539735996566874530560025267","224406327908932319998670883747366985351","197905358160672202742885613990887036701"]},"id":"CVE-2025-58436-2c8387af","target":{"file":"scheduler/client.h"},"signature_version":"v1","source":"https://github.com/openprinting/cups/commit/40008d76a001babbb9beb9d9d74b01a86fb6ddb4"},{"deprecated":false,"signature_type":"Function","digest":{"function_hash":"131599698190001556526141342741850960006","length":5662},"id":"CVE-2025-58436-434ad461","target":{"function":"cupsdAcceptClient","file":"scheduler/client.c"},"signature_version":"v1","source":"https://github.com/openprinting/cups/commit/40008d76a001babbb9beb9d9d74b01a86fb6ddb4"},{"deprecated":false,"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["77478087155392166827753678322261110249","199629161088706978755561407205027215243","242761163277272059188145473982024142479","31183038617601839798647281261141047645","290956483188464259330199195401068909924","47716117503936234012778123479968869248","127641381619247502457438674603461877569"]},"id":"CVE-2025-58436-43860eb9","target":{"file":"cups/cups.h"},"signature_version":"v1","source":"https://github.com/openprinting/cups/commit/433af45db06759081d4f3cd606e08ca634fc490a"},{"deprecated":false,"signature_type":"Function","digest":{"function_hash":"256259829874770239351392431181177356909","length":297},"id":"CVE-2025-58436-4ba12da5","target":{"function":"cupsd_start_tls","file":"scheduler/client.c"},"signature_version":"v1","source":"https://github.com/openprinting/cups/commit/40008d76a001babbb9beb9d9d74b01a86fb6ddb4"},{"deprecated":false,"signature_type":"Function","digest":{"function_hash":"63990270412560338136497101077274539451","length":7791},"id":"CVE-2025-58436-66c9abdb","target":{"function":"_httpTLSStart","file":"cups/tls-gnutls.c"},"signature_version":"v1","source":"https://github.com/openprinting/cups/commit/40008d76a001babbb9beb9d9d74b01a86fb6ddb4"},{"deprecated":false,"signature_type":"Function","digest":{"function_hash":"110583347758116482037036578708611922814","length":27166},"id":"CVE-2025-58436-777739fc","target":{"function":"cupsdReadClient","file":"scheduler/client.c"},"signature_version":"v1","source":"https://github.com/openprinting/cups/commit/40008d76a001babbb9beb9d9d74b01a86fb6ddb4"},{"deprecated":false,"signature_type":"Function","digest":{"function_hash":"63395032374237686701806846327027758490","length":241},"id":"CVE-2025-58436-8d67a1fb","target":{"function":"http_set_wait","file":"cups/http.c"},"signature_version":"v1","source":"https://github.com/openprinting/cups/commit/40008d76a001babbb9beb9d9d74b01a86fb6ddb4"},{"deprecated":false,"signature_type":"Function","digest":{"function_hash":"96387383944112773729210900321340476074","length":2855},"id":"CVE-2025-58436-8fa8c320","target":{"function":"_httpUpdate","file":"cups/http.c"},"signature_version":"v1","source":"https://github.com/openprinting/cups/commit/40008d76a001babbb9beb9d9d74b01a86fb6ddb4"},{"deprecated":false,"signature_type":"Function","digest":{"function_hash":"42457734256847403102303065043103970251","length":1746},"id":"CVE-2025-58436-94d6bf6e","target":{"function":"http_read","file":"cups/http.c"},"signature_version":"v1","source":"https://github.com/openprinting/cups/commit/40008d76a001babbb9beb9d9d74b01a86fb6ddb4"},{"deprecated":false,"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["50090007929121909738874384860873572028","108324662318643432976305785286245322975","117990651278070980309781706624646665884","97081622970465573073701815774266343837"]},"id":"CVE-2025-58436-96703422","target":{"file":"cups/tls-gnutls.c"},"signature_version":"v1","source":"https://github.com/openprinting/cups/commit/40008d76a001babbb9beb9d9d74b01a86fb6ddb4"},{"deprecated":false,"signature_type":"Function","digest":{"function_hash":"215592277725726461147819129441770121701","length":1818},"id":"CVE-2025-58436-9b4c3212","target":{"function":"cupsdDoSelect","file":"scheduler/select.c"},"signature_version":"v1","source":"https://github.com/openprinting/cups/commit/40008d76a001babbb9beb9d9d74b01a86fb6ddb4"},{"deprecated":false,"signature_type":"Function","digest":{"function_hash":"151343785229667440901182264245484924486","length":2600},"id":"CVE-2025-58436-acc37f2a","target":{"function":"httpGets2","file":"cups/http.c"},"signature_version":"v1","source":"https://github.com/openprinting/cups/commit/40008d76a001babbb9beb9d9d74b01a86fb6ddb4"},{"deprecated":false,"signature_type":"Function","digest":{"function_hash":"25482128319209345481774140169645450638","length":5129},"id":"CVE-2025-58436-b8e7e4b5","target":{"function":"httpPeek","file":"cups/http.c"},"signature_version":"v1","source":"https://github.com/openprinting/cups/commit/40008d76a001babbb9beb9d9d74b01a86fb6ddb4"},{"deprecated":false,"signature_type":"Function","digest":{"function_hash":"222454751353243750950085968367631111141","length":718},"id":"CVE-2025-58436-c817132e","target":{"function":"http_read_buffered","file":"cups/http.c"},"signature_version":"v1","source":"https://github.com/openprinting/cups/commit/40008d76a001babbb9beb9d9d74b01a86fb6ddb4"},{"deprecated":false,"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["220937579370994057422172740810188185869","202920195206624962959882956042849483352","37204080690075896955741574542946318464","38764951050736091848406992431934851592","115544067325554418942111553709407926368","292851504603595218555172153002070843903","254968094425386866743152415827450284500","317668555164455258143952952055606276414","95439092828441216523640652748895482817","57215892426559041111686129616929838393","251593974081863510690004547132453903260","84662947609845643508772012009563076528","207877349988144601811265079795032128720","49535135922147869497593584384568717169","230668246715740605965978617427933448258","331965586640396569123113931958706921803","215102972044362745412246145605675856279","151432898557419667006012766920194806937","81362735062366394052508654345891804117","247500396506078783524841209064688467842","68515677982774460688568189311824910870","294597368029328247444346317850850754976","222225639025378989734337404159941313448","174838959419054344982290213151155887600","259330269313256186092694477311032987333","268675321619712639392212482856612555305","237360592190234030331501611764520973764","49666754819857256762920258545342314214","31920624420474366806947265776797247942","261553588950147682191179747359337844378","203816063383653388398343670042693123868","175632053914215373931497602904363332301","22290268406244151010814350101227556080","130414552956693870172342815797450907540","287491872689107931590837065128871019136","127357465760662644247158062282859090002","175633343499789452788752202264766821168","137380842499935726295759783271285029189","161975817745790595031881254261214342246","196878581401953091619150697500315006190","144709456403896685928028262453546157093","42196458354052505286999026797575388525","8259137617139029824405288222215754507","301064327207613911127419859533505747255","314925097165751840684583528787135164182","185910148625618238994771920348100271990","316804192400732200618574420683882793756","275618671731457118536091705101832569051","265946737292763176807739994515511166290","180292568597617523187468525722372869003","171558288642004310337663103251472289725","207877349988144601811265079795032128720","49535135922147869497593584384568717169","334109988833839505309770478738732868023","45467618816276135478635627797621906673","220954902390370380484542096361813524312","71538283825906627365082181669140458710","308264536986278297323521979524683425592","245290759629488890917412799595528779778","11116867621387510408687364562741139934","219144732628616798679836479262708548717","190398832356637388926303932854350618083","134791416766577091004223389712943008180","10073359398168804227469408636084113051","140562840050888259267129168230163612012","37711208752528262622189853453754955301","223605687384502898083300432579423083587","17974401850654646352790152234951503995","212537782183287577244646788300865512812","53470549373654421293747858535465929779","51752518775046134052072657781737423920","3328296161053751771227517285514924218","94893500354933557477694464238082077296"]},"id":"CVE-2025-58436-d955da7e","target":{"file":"cups/http.c"},"signature_version":"v1","source":"https://github.com/openprinting/cups/commit/40008d76a001babbb9beb9d9d74b01a86fb6ddb4"},{"deprecated":false,"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["9731753208066359264796181405004907320","288466649599257905828658043357139590481","161382070116073613191298673810503089835","73397454859929601636086791840664015108","237623941905835839842116206798900649340","219460211777916174872319061233752119122","51693750832589658951029776574171777510","297179566004257764159650860145186588461","310993804655686780298103925336876197950","179533042381934944409438937369102013894"]},"id":"CVE-2025-58436-e1c26e48","target":{"file":"cups/http-private.h"},"signature_version":"v1","source":"https://github.com/openprinting/cups/commit/40008d76a001babbb9beb9d9d74b01a86fb6ddb4"},{"deprecated":false,"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["140993919044767757133673634682162219985","8668393305532190339983824672999466994","153453576089776109429203201426467305788","226097930355045394714926280284618422932","52226336585735852957738037659911748897","197245255202888104771371453894979003515","170108506108608489251713667852307788975","282781239652591421734139038836460140880","314971034684681621628695835174142351602","203497607690134765193484021040752463359","210167775771193174403266830148611510268","99696380705556089464734680969963472841","121067994153455686785859871818095272466","182071474845517934643065443737550543932","116125465341994966545968824573224499092","305241460732807833951871247198419963452","228201166414183721878497584381661525101","222142236097855885259861150311468662363","240923197704791241410876405600745910765","89905294565089784232041929964965170263","269611898589719613315654152617303925515","236462248127071627713623193614047329158","160681588632997437340974403979177548173","250986970814202058859303598708904373824","102950214427966112349858068293852915826","70002934788131876423116643776645497352","178889892306512681990125431301402580664","294152177238406031956462642290878010320","174037044923750340395624263110641464464","48734733450526156845456368106486089567","307734517275143893656270816106752831182","171271217001705860614896221501718702298","201209774514035599311192501296302563538","20598658697990835514516987244552184836","160681588632997437340974403979177548173","66406238322179189753543407743343652319","170179840398760617102956268660000044404","52537449681233155051880094344462644703","136860193325089608314629368719641106232","82348012438297328919531776335580031182","138873283035521091374153289463000005119","112602551469238615829087197989811374604","48006112017426648830235607026543755808","249916090939057470086218391235473522387","166166642135507382002095520079376806318","229554581805383321333453671829465408151","48891181061255022393394518538356606879","20598658697990835514516987244552184836","48734733450526156845456368106486089567","307734517275143893656270816106752831182","171271217001705860614896221501718702298","201209774514035599311192501296302563538","20598658697990835514516987244552184836","160681588632997437340974403979177548173","136752580974446077371232755962497199100","29676334190074211084572122057646805376","95618840937649161024063666792994849333","195243365434163044653460888225594149038","292901862157114464939566553140296087015","139195202079445841923888384660081405831","90626181423289783586422741740696129083","42732810707636097049541212732454010815","169847540674278062666314053642314114409","274315313691437550663969559486274755437","329057310053589688498003135413171117778","33003683363914288635897885217787907356","5435974358176779537635288965947794908","165043446329089594852573512912994755541","59342611756614576852520033534967100372","192867116708398520305816776459719109897","322063092447481488269948388049388260813","34832312546820911948517218085229464625","228886538849069896797245351083395373316","271418234643561394165814948013092021281","213193280444100845808413210661629036114","1030367992328116785951692856432667003"]},"id":"CVE-2025-58436-f1f00bba","target":{"file":"scheduler/client.c"},"signature_version":"v1","source":"https://github.com/openprinting/cups/commit/40008d76a001babbb9beb9d9d74b01a86fb6ddb4"},{"deprecated":false,"signature_type":"Function","digest":{"function_hash":"32779829444270059358290639062691080629","length":680},"id":"CVE-2025-58436-f8ea6b94","target":{"function":"http_bio_read","file":"cups/tls-openssl.c"},"signature_version":"v1","source":"https://github.com/openprinting/cups/commit/40008d76a001babbb9beb9d9d74b01a86fb6ddb4"},{"deprecated":false,"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["50090007929121909738874384860873572028","108324662318643432976305785286245322975","117990651278070980309781706624646665884","97505251453591497408240161597851144647","213114181218757194516410718564036664560","189219283082422016270915599154781499092","281875931784809881766468337049394380767","221863027742682880293243261908480692459","235680793638536000896368552128062694026","246381262291612499553897222165419801831","330797298341431416811959538325823704930"]},"id":"CVE-2025-58436-fc930b4e","target":{"file":"cups/tls-openssl.c"},"signature_version":"v1","source":"https://github.com/openprinting/cups/commit/40008d76a001babbb9beb9d9d74b01a86fb6ddb4"}],"vanir_signatures_modified":"2026-04-30T16:51:27Z","source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-58436.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}