This is strictly a miscalculation/fudge.

In isolation (which is what CVSS is all about) this is not a network exploitable vulnerability, even if you can craft an attack chain which exploits it over the network.

So:

AV:N -> AV:L - reason above

AC:L - correct

PR:N -> PR:L - to exploit this you need to get cups to process a PPD file. Ignoring how it got there, writing a PPD file requires low privileges on the local machine (unless I'm wrong and you can't add a printer to cups as a local user by default, in which case this becomes PR:H with an overall score of 7.7). These might be fulfilled by another component of the attack chain, but again, you need to strictly think in terms of the vulnerability in a vacuum.

UI:N -> UI:R - that a user must perform a task after you begin exploitation in order for the exploit to complete is a classical example of required user interaction

S:C - correct, attacking cups and getting root on the whole machine is considered a scope change

C:L -> C:H - Running arbitrary code as root on a machine is a total breach of all confidentiality of the local machine, so not sure why this was marked as low.

I:H - correct

A:L -> A:H - Running arbitrary code as root on a machine lets you do anything to completely disable it permanently. Availability impact is high.

In summary a score of 8.2 (CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H) for CVE-2024-47177 in a vacuum.

But it seems like User Interaction is required.

Printing something at some point arbitrarily later on the system is almost certainly not classed as User Interaction in this sense.

Yeah, I guess you're right, for CUPS it might be 9.9. My other added points about it being a vastly overblown exploit still stand.