HP Linux Imaging and Printing (HPLIP) shipped version 3.26.4 on May 23 with fixes for two CVEs. The first one is critical.

CVE-2026-8631 (CVSS 9.3, Critical) is a command injection vulnerability with a network attack vector and no authentication requirement. CVSS 4.0 vector: AV:N/AC:L/AT:N/PR:N/UI:N. That means no user interaction, no credentials, no local access. If HPLIP is reachable on the network, the path to arbitrary code execution is short.

CVE-2026-8632 (CVSS 8.5, High) is a buffer overflow. The attack vector is local and requires low privileges, which puts it in a different threat category, but it is still a privilege escalation path and should be treated as one.

Both were reported by Mohamed Lemine Ahmed Jidou (AegisSec) and Aisle Research.

Why this reaches more machines than you might think

HPLIP is the default HP printer driver on essentially every major Linux desktop distribution -- Ubuntu, Debian, Fedora, Arch. It is installed by default on most systems where the user has ever connected an HP printer, and often stays installed long after the printer is gone.

In office environments, printer-sharing servers run HPLIP with network exposure as a basic requirement. That is the exact configuration CVE-2026-8631 targets.

The advisory does not specify which versions prior to 3.26.4 are affected. Assume any version before 3.26.4 is vulnerable.

What to do

Update to HPLIP 3.26.4. The patch is available from HP's developer site and via the package manager on affected distributions.

# Debian/Ubuntu
sudo apt-get update && sudo apt-get install hplip
 
# Fedora
sudo dnf update hplip
 
# Arch
sudo pacman -Syu hplip
 
# Verify
dpkg -l hplip | grep hplip

If you run HPLIP on a shared printer server that is not directly reachable from untrusted networks, CVE-2026-8631 is lower risk -- but lower risk is not no risk. Update regardless.

If you cannot update immediately, restrict network access to the HPLIP port at the firewall level until the update can be applied.

Peripheral drivers as an attack surface

Printer and scanner driver stacks have a history of sitting outside the normal patch cadence. They get installed, forgotten, and left running. CUPS vulnerabilities in 2024 showed the same pattern: software that processes network requests on behalf of hardware, installed broadly, updated rarely.

For a related look at how coordinated multi-CVE releases are structured across Linux software, see rsync 3.4.3 patches six CVEs, two reachable without daemon mode.

Sources: oss-security advisory; HPLIP 3.26.4 download