CVE-2024-11346

High

Published: 13 February 2025

Published

13 February 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0003 9.6th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-11346 is a high-severity Type Confusion (CWE-843) vulnerability in Lexmark International CX (inferred from references). Its CVSS base score is 7.3 (High).

Operationally, ranked at the 9.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the type confusion vulnerability by identifying, prioritizing, and applying Lexmark firmware patches for affected Postscript interpreter modules.

SI-10 Information Input Validation partial match

prevent

Validates Postscript inputs to block crafted malicious inputs that exploit the type confusion for resource injection.

SI-16 Memory Protection partial match

prevent

Implements memory protections like non-executable memory and ASLR to mitigate exploitation outcomes of the type confusion vulnerability.

NVD Description

: Access of Resource Using Incompatible Type ('Type Confusion') vulnerability in Lexmark International CX, XC, CS, et. Al. (Postscript interpreter modules) allows Resource Injection.This issue affects CX, XC, CS, et. Al.: from 001.001:0 through 081.231, from *.*.P001 through *.*.P233, from…

*.*.P001 through *.*.P759, from *.*.P001 through *.*.P836.

Deeper analysisAI

CVE-2024-11346 is a Type Confusion vulnerability (CWE-843: Access of Resource Using Incompatible Type) in the Postscript interpreter modules of Lexmark International printers, including CX, XC, CS, and related models. This flaw enables Resource Injection and affects firmware versions from 001.001:0 through 081.231, as well as ranges *.*.P001 through *.*.P233, *.*.P001 through *.*.P759, and *.*.P001 through *.*.P836. The vulnerability was published on 2025-02-13 with a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating high severity due to its network accessibility and low barriers to exploitation.

Attackers can exploit this vulnerability remotely over the network without authentication, privileges, or user interaction, as it requires low complexity and maintains an unchanged scope. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling attackers to inject malicious resources via crafted Postscript inputs processed by the affected interpreter modules.

For mitigation details, refer to Lexmark's security advisories at https://www.lexmark.com/en_us/solutions/security/lexmark-security-advisories.html, which provide guidance on patches and workarounds for vulnerable devices.