CVE-2009-3553

Name: CVE-2009-3553
Creator: NVD / NIST
Published: 2009-11-20T02:30:00.61+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 7.5/10EPSS 3.91%

Last modified Jun 16, 2026

CVE-2009-3553 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. Use-after-free vulnerability in the abstract file-descriptor handling interface in the cupsdDoSelect function in scheduler/select.c in the scheduler in cupsd in CUPS 1.3.7 and 1.3.10 allows remote attackers to cause a denial of service (daemon crash or hang) via a client disconnection during listing of a large number of print jobs, related to improperly maintaining a reference count. NOTE: some of these details are obtained from third party information.. EPSS estimates a 3.91% chance of exploitation in the next 30 days.

Description

Use-after-free vulnerability in the abstract file-descriptor handling interface in the cupsdDoSelect function in scheduler/select.c in the scheduler in cupsd in CUPS 1.3.7 and 1.3.10 allows remote attackers to cause a denial of service (daemon crash or hang) via a client disconnection during listing of a large number of print jobs, related to improperly maintaining a reference count. NOTE: some of these details are obtained from third party information.

Metrics

CVSS 3.1

7.5/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Probability

3.91%

89.0th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-416

Affected Software

Vendor	Product	Versions
Apple	Cups	1.3.7
Apple	Cups	1.3.10
Apple	Mac Os X	< 10.5.8
Apple	Mac Os X	>= 10.6.0, < 10.6.2
Apple	Mac Os X Server	< 10.5.8
Apple	Mac Os X Server	>= 10.6.0, < 10.6.2
Fedoraproject	Fedora	10
Canonical	Ubuntu Linux	6.06
Canonical	Ubuntu Linux	8.04
Canonical	Ubuntu Linux	8.10
Canonical	Ubuntu Linux	9.04
Canonical	Ubuntu Linux	9.10
Debian	Debian Linux	5.0
Redhat	Enterprise Linux	5.0

References

http://lists.apple.com/archives/security-announce/2010/Jan/msg00000.htmlMailing List
http://secunia.com/advisories/37360Broken Link, Vendor Advisory
http://secunia.com/advisories/37364Broken Link, Vendor Advisory
http://secunia.com/advisories/38241Broken Link
http://secunia.com/advisories/43521Broken Link
http://security.gentoo.org/glsa/glsa-201207-10.xmlThird Party Advisory
http://sunsolve.sun.com/search/document.do?assetkey=1-66-275230-1Broken Link
http://support.apple.com/kb/HT4004Vendor Advisory
http://www.cups.org/newsgroups.php/newsgroups.php?v5994+gcups.bugsBroken Link, Patch, Vendor Advisory
http://www.cups.org/newsgroups.php/newsgroups.php?v5996+gcups.bugsBroken Link, Patch, Vendor Advisory
http://www.cups.org/newsgroups.php/newsgroups.php?v6055+gcups.bugsBroken Link, Patch, Vendor Advisory
http://www.cups.org/str.php?L3200Broken Link, Patch, Vendor Advisory
http://www.debian.org/security/2011/dsa-2176Mailing List
http://www.mandriva.com/security/advisories?name=MDVSA-2010:073Broken Link
http://www.redhat.com/support/errata/RHSA-2009-1595.htmlBroken Link
http://www.securityfocus.com/bid/37048Broken Link, Third Party Advisory, VDB Entry
http://www.ubuntu.com/usn/USN-906-1Third Party Advisory
http://www.vupen.com/english/advisories/2010/0173Broken Link
http://www.vupen.com/english/advisories/2011/0535Broken Link
https://bugzilla.redhat.com/show_bug.cgi?id=530111Issue Tracking
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11183Broken Link
https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00332.htmlMailing List
http://lists.apple.com/archives/security-announce/2010/Jan/msg00000.htmlMailing List
http://secunia.com/advisories/37360Broken Link, Vendor Advisory
http://secunia.com/advisories/37364Broken Link, Vendor Advisory
http://secunia.com/advisories/38241Broken Link
http://secunia.com/advisories/43521Broken Link
http://security.gentoo.org/glsa/glsa-201207-10.xmlThird Party Advisory
http://sunsolve.sun.com/search/document.do?assetkey=1-66-275230-1Broken Link
http://support.apple.com/kb/HT4004Vendor Advisory
http://www.cups.org/newsgroups.php/newsgroups.php?v5994+gcups.bugsBroken Link, Patch, Vendor Advisory
http://www.cups.org/newsgroups.php/newsgroups.php?v5996+gcups.bugsBroken Link, Patch, Vendor Advisory
http://www.cups.org/newsgroups.php/newsgroups.php?v6055+gcups.bugsBroken Link, Patch, Vendor Advisory
http://www.cups.org/str.php?L3200Broken Link, Patch, Vendor Advisory
http://www.debian.org/security/2011/dsa-2176Mailing List
http://www.mandriva.com/security/advisories?name=MDVSA-2010:073Broken Link
http://www.redhat.com/support/errata/RHSA-2009-1595.htmlBroken Link
http://www.securityfocus.com/bid/37048Broken Link, Third Party Advisory, VDB Entry
http://www.ubuntu.com/usn/USN-906-1Third Party Advisory
http://www.vupen.com/english/advisories/2010/0173Broken Link
http://www.vupen.com/english/advisories/2011/0535Broken Link
https://bugzilla.redhat.com/show_bug.cgi?id=530111Issue Tracking
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11183Broken Link
https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00332.htmlMailing List

Timeline

Published: Nov 20, 2009
Last Modified: Jun 16, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2009-3553?

How severe is CVE-2009-3553?

CVE-2009-3553 has a CVSS score of 7.5/10 (HIGH severity). The EPSS model estimates a 3.91% probability of exploitation in the next 30 days.

How do I fix CVE-2009-3553?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2009-3553?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST