CVE-2015-1158

CUPS < 2.0.3 - Remote Code Execution via IPP Job Request

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2015-1158. PoCs published by Google Security Research, @0x00string.

AI-analyzed exploit summary This is a detailed writeup describing an exploit chain for CVE-2015-1158, a reference count over-decrement vulnerability in CUPS. It includes analysis of the bug, exploitation steps, and a secondary XSS vulnerability (CVE-2015-1159) to bypass local host restrictions.

Description

The add_job function in scheduler/ipp.c in cupsd in CUPS before 2.0.3 performs incorrect free operations for multiple-value job-originating-host-name attributes, which allows remote attackers to trigger data corruption for reference-counted strings via a crafted (1) IPP_CREATE_JOB or (2) IPP_PRINT_JOB request, as demonstrated by replacing the configuration file and consequently executing arbitrary code.

Exploits (2)

exploitdb WRITEUP VERIFIED
by Google Security Research · textremotemultiple
https://www.exploit-db.com/exploits/37336

This is a detailed writeup describing an exploit chain for CVE-2015-1158, a reference count over-decrement vulnerability in CUPS. It includes analysis of the bug, exploitation steps, and a secondary XSS vulnerability (CVE-2015-1159) to bypass local host restrictions.

Classification
Writeup 100%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: CUPS (Common Unix Printing System) < 2.0.3
No auth needed
Prerequisites: Network access to CUPS service · Ability to send IPP requests
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
by @0x00string · pythonremotelinux
https://www.exploit-db.com/exploits/41233

This exploit targets a reference count over-decrement vulnerability in CUPS (CVE-2015-1158) to achieve remote code execution. It sends maliciously crafted IPP packets to trigger the vulnerability and can optionally load a shared library payload for post-exploitation.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: CUPS < 2.0.3
No auth needed
Prerequisites: Network access to the CUPS IPP service (typically port 631) · A vulnerable version of CUPS (< 2.0.3)
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (20)

Core 20
Core References
Issue Tracking x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=1221641
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2015/dsa-3283
Issue Tracking x_refsource_confirm
https://bugzilla.opensuse.org/show_bug.cgi?id=924208
Vendor Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-2629-1
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1032556
Vendor Advisory x_refsource_confirm
http://www.cups.org/blog.php?L1082
Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/810572
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/75098
Vendor Advisory x_refsource_confirm
https://www.cups.org/str.php?L4609
Third Party Advisory vendor-advisory x_refsource_gentoo
https://security.gentoo.org/glsa/201510-07
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/37336/
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/41233/
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2015-1123.html

Scores

EPSS 0.2991
EPSS Percentile 98.0%

Details

CWE
CWE-254
Status published
Products (1)
cups/cups < 2.0.2
Published Jun 26, 2015
Tracked Since Feb 18, 2026