CVE-2024-47175 [High] | Input Validation Bypass in Libppd

CUPS is a standards-based, open-source printing system, and `libppd` can be used for legacy PPD file support. The `libppd` function `ppdCreatePPDFromIPP2` does not sanitize IPP attributes when creating the PPD buffer. When used in combination with other functions such as `cfGetPrinterAttributes5`, can result in user controlled input and ultimately code execution via Foomatic. This vulnerability can be part of an exploit chain leading to remote code execution (RCE), as described in CVE-2024-47176.

EDB-ID	Source	Kind	Published	Link
—	nvd_ref	exploit_tag		Exploit-DB ↗
—	nvd_ref	exploit_tag		Exploit-DB ↗

EDB-ID

Source

Kind

Published

Link

—

nvd_ref

exploit_tag

Exploit-DB ↗

—

nvd_ref

exploit_tag

Exploit-DB ↗

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-05-31	33.66%	36.80%	+3.14%
2	2026-05-26	34.27%	33.66%	-0.61%
3	2026-05-22	—	34.27%	—

Date

Old EPSS score

New EPSS score

Delta (New - Old)

2026-05-31

33.66%

36.80%

+3.14%

2026-05-26

34.27%

33.66%

-0.61%

2026-05-22

—

34.27%

—

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
8.6	3.1	HIGH	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N` Click to expand Attack vector (AV:N) Could be attacked over the internet or any normal routed network—not just someone sitting at the machine. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:N) No account or special rights needed—anonymous or random user is enough. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:C) Breaking this can reach past the original component and bite other resources—bigger blast radius. Confidentiality (C:N) Doesn’t really leak secrets in a meaningful way. Integrity (I:H) They could widely tamper with or forge data—trust in the data is badly hurt. Availability (A:N) Service keeps running; no real outage angle.	3.9	4.0	[email protected]
9.8	3.1	CRITICAL	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` Click to expand Attack vector (AV:N) Could be attacked over the internet or any normal routed network—not just someone sitting at the machine. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:N) No account or special rights needed—anonymous or random user is enough. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:H) Serious risk that confidential data gets exposed in a big way. Integrity (I:H) They could widely tamper with or forge data—trust in the data is badly hurt. Availability (A:H) Could take the service down hard or make it unusable for people who depend on it.	3.9	5.9	[email protected]

Base score

Version

Severity

Vector

Exploitability

Impact

Score source

8.6

3.1

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N Click to expand

Attack vector (AV:N): Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L): Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N): No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N): Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:C): Breaking this can reach past the original component and bite other resources—bigger blast radius.
Confidentiality (C:N): Doesn’t really leak secrets in a meaningful way.
Integrity (I:H): They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:N): Service keeps running; no real outage angle.

3.9

4.0

[email protected]

9.8

3.1

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Click to expand

Attack vector (AV:N): Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L): Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N): No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N): Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U): Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H): Serious risk that confidential data gets exposed in a big way.
Integrity (I:H): They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H): Could take the service down hard or make it unusable for people who depend on it.

3.9

5.9

[email protected]

OS Trackers for CVE-2024-47175

vendor	priority	summary	link
`alpine`	high	CVE-2024-47175: 1 source package rows (cups); 5 state rows across 5 repos (3.19-main, 3.20-main, 3.21-main, 3.22-main, edge-main); fixed 5, open 0.	https://security.alpinelinux.org/vuln/CVE-2024-47175
`debian`	unimportant	CVE-2024-47175 unimportant priority: Debian including 2 source packages (cups, libppd), 7 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 7.	https://security-tracker.debian.org/tracker/CVE-2024-47175
`redhat`	high	—	https://access.redhat.com/security/cve/CVE-2024-47175
`suse`	high	CVE-2024-47175 severity important: SUSE including 284 source package names (amazon/suse-sles-15-sp1-chost-byos-v20210304-hvm-ssd-x86_64, amazon/suse-sles-15-sp1-chost-byos-v20220127-hvm-ssd-x86_64, …), 810 product×package rows across 167 product lines (Image SLES15-SP4-BYOS, Image SLES15-SP4-BYOS-Azure, … (167 product lines)): Fixed 541, Known Affected 226, Known Not Affected 43.	https://www.suse.com/security/cve/CVE-2024-47175/
`ubuntu`	medium	CVE-2024-47175 medium priority: Ubuntu including 2 source packages (cups, libppd), 12 status rows across 6 suites (bionic, focal, jammy, noble, upstream, xenial): released 6, not-affected 4, needs-triage 2.	https://ubuntu.com/security/CVE-2024-47175

Affected software / configurations for CVE-2024-47175

Vendor	Product	Version	Raw CPE
openprinting	libppd	<= 2.0.0	cpe:2.3:a:openprinting:libppd::::::::
openprinting	libppd	2.1	cpe:2.3:a:openprinting:libppd:2.1:beta1::::::*
debian	debian_linux	11.0	cpe:2.3:o:debian:debian_linux:11.0:::::::*

References for CVE-2024-47175

URL	Tags
https://github.com/OpenPrinting/cups-browsed/security/advisories/GHSA-rj88-6mr5-rcw8	Not Applicable
https://github.com/OpenPrinting/cups-filters/security/advisories/GHSA-p9rh-jxmq-gq47	Not Applicable
https://github.com/OpenPrinting/libcupsfilters/security/advisories/GHSA-w63j-6g73-wmg5	Not Applicable
https://github.com/OpenPrinting/libppd/security/advisories/GHSA-7xfx-47qg-grp6	Exploit Vendor Advisory
https://www.cups.org	Product
https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I	Exploit Third Party Advisory
http://www.openwall.com/lists/oss-security/2024/09/27/3	Mailing List
https://github.com/OpenPrinting/libppd/commit/d681747ebf12602cb426725eb8ce2753211e2477	Patch
https://lists.debian.org/debian-lts-announce/2024/09/msg00047.html	Mailing List
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0016
https://security.netapp.com/advisory/ntap-20241011-0001/

URL

CVE-2024-47175 | libppd's ppdCreatePPDFromIPP2 function does not sanitize IPP attributes when creating the PPD buffer

Public exploit references (Exploit-DB) for CVE-2024-47175

Exploit prediction scoring system (EPSS) score for CVE-2024-47175

Common vulnerability scoring system (CVSS) metrics for CVE-2024-47175

Weakness enumeration for CVE-2024-47175

OS Trackers for CVE-2024-47175

Affected software / configurations for CVE-2024-47175

References for CVE-2024-47175