CVE-2026-34978
published 2026-04-03CVE-2026-34978: OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, the RSS notifier allows .…
PriorityP340medium6.5CVSS 3.1
AVNACLPRNUINSUCNILAL
EPSS
0.41%
32.4th percentile
OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, the RSS notifier allows .. path traversal in notify-recipient-uri (e.g., rss:///../job.cache), letting a remote IPP client write RSS XML bytes outside CacheDir/rss (anywhere that is lp-writable). In particular, because CacheDir is group-writable by default (typically root:lp and mode 0770), the notifier (running as lp) can replace root-managed state files via temp-file + rename(). This PoC clobbers CacheDir/job.cache with RSS XML, and after restarting cupsd the scheduler fails to parse the job cache and previously queued jobs disappear. At time of publication, there are no publicly available patches.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | cups | — | — |
| msrc | azl3_cups_2.4.16-1_on_azure_linux_3.0 | — | — |
| msrc | cbl2_cups_2.3.3op2-11_on_cbl_mariner_2.0 | — | — |
| openprinting | cups | <= 2.4.16 | — |
| ubuntu | cups | — | — |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
osv6.5MEDIUM
vendor_debian6.5MEDIUM
vendor_msrc6.5MEDIUM
vendor_redhat6.5MEDIUM
vendor_ubuntu6.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
CUPS regression
vendor_ubuntu·2026-06-15·CVSS 6.3
CVE-2026-27447 [MEDIUM] CUPS regression
Title: CUPS regression
Summary: USN-8405-1 introduced a regression in CUPS
USN-8405-1 fixed vulnerabilities in CUPS. The update introduced a
regression that cause CUPS to crash when parsing certain large printer PPD
files. This update fixes the problem.
Original advisory details:
Ariel Silver discovered that CUPS incorrectly handled username comparisons
during authorization checks. A local attacker could possibly use this issue
to gain unauthorized access to restricted operations. (CVE-2026-27447)
Asim Viladi Oglu Manizada discovered that CUPS incorrectly handled
notify-recipient-uri values in the RSS notifier. A remote attacker could
possibly use this issue to overwrite lp-writable files and cause a denial
of service. (CVE-2026-34978)
Jacob Newman discovered that CUPS incorrectly ha
Ubuntu
CUPS vulnerabilities
vendor_ubuntu·2026-06-08·CVSS 6.3
CVE-2026-41079 [MEDIUM] CUPS vulnerabilities
Title: CUPS vulnerabilities
Summary: Several security issues were fixed in CUPS.
Ariel Silver discovered that CUPS incorrectly handled username comparisons
during authorization checks. A local attacker could possibly use this issue
to gain unauthorized access to restricted operations. (CVE-2026-27447)
Asim Viladi Oglu Manizada discovered that CUPS incorrectly handled
notify-recipient-uri values in the RSS notifier. A remote attacker could
possibly use this issue to overwrite lp-writable files and cause a denial
of service. (CVE-2026-34978)
Jacob Newman discovered that CUPS incorrectly handled filter option strings
when processing job attributes. An attacker could use this issue to cause
CUPS to crash, resulting in a denial of service, or possibly execute
arbitrary code. (CVE-2026-34979
Red Hat
cups: OpenPrinting CUPS: Denial of Service via path traversal in RSS notifier
vendor_redhat·2026-04-03·CVSS 6.5
CVE-2026-34978 [MEDIUM] CWE-22 cups: OpenPrinting CUPS: Denial of Service via path traversal in RSS notifier
cups: OpenPrinting CUPS: Denial of Service via path traversal in RSS notifier
OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, the RSS notifier allows .. path traversal in notify-recipient-uri (e.g., rss:///../job.cache), letting a remote IPP client write RSS XML bytes outside CacheDir/rss (anywhere that is lp-writable). In particular, because CacheDir is group-writable by default (typically root:lp and mode 0770), the notifier (running as lp) can replace root-managed state files via temp-file + rename(). This PoC clobbers CacheDir/job.cache with RSS XML, and after restarting cupsd the scheduler fails to parse the job cache and previously queued jobs disappear. At time of publication, there are no publicly a
Microsoft
OpenPrinting CUPS: Path traversal in RSS notify-recipient-uri enables file write outside CacheDir/rss (and clobbering of job.cache)
vendor_msrc·2026-04-02·CVSS 6.5
CVE-2026-34978 [MEDIUM] CWE-22 OpenPrinting CUPS: Path traversal in RSS notify-recipient-uri enables file write outside CacheDir/rss (and clobbering of job.cache)
OpenPrinting CUPS: Path traversal in RSS notify-recipient-uri enables file write outside CacheDir/rss (and clobbering of job.cache)
Mariner: Mariner
GitHub_M: GitHub_M
Customer Action Required: Yes
Debian
CVE-2026-34978: cups - OpenPrinting CUPS is an open source printing system for Linux and other Unix-lik...
vendor_debian·2026·CVSS 6.5
CVE-2026-34978 [MEDIUM] CVE-2026-34978: cups - OpenPrinting CUPS is an open source printing system for Linux and other Unix-lik...
OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, the RSS notifier allows .. path traversal in notify-recipient-uri (e.g., rss:///../job.cache), letting a remote IPP client write RSS XML bytes outside CacheDir/rss (anywhere that is lp-writable). In particular, because CacheDir is group-writable by default (typically root:lp and mode 0770), the notifier (running as lp) can replace root-managed state files via temp-file + rename(). This PoC clobbers CacheDir/job.cache with RSS XML, and after restarting cupsd the scheduler fails to parse the job cache and previously queued jobs disappear. At time of publication, there are no publicly available patches.
Scope: local
bookworm: open
bullseye: open
forky: open
sid: o
OSV
CVE-2026-34978: OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems
osv·2026-04-03·CVSS 6.5
CVE-2026-34978 [MEDIUM] CVE-2026-34978: OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems
OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, the RSS notifier allows .. path traversal in notify-recipient-uri (e.g., rss:///../job.cache), letting a remote IPP client write RSS XML bytes outside CacheDir/rss (anywhere that is lp-writable). In particular, because CacheDir is group-writable by default (typically root:lp and mode 0770), the notifier (running as lp) can replace root-managed state files via temp-file + rename(). This PoC clobbers CacheDir/job.cache with RSS XML, and after restarting cupsd the scheduler fails to parse the job cache and previously queued jobs disappear. At time of publication, there are no publicly available patches.
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-34980 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-34980 [MEDIUM] CVE-2026-34980 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34980 :
OpenPrinting CUPS vulnerability analysis and mitigation
OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, in a network-exposed cupsd with a shared target queue, an unauthorized client can send a Print-Job to that shared PostScript queue without authentication. The server accepts a page-border value supplied as textWithoutLanguage, preserves an embedded newline through option escaping and reparse, and then reparses the resulting second-line PPD: text as a trusted scheduler control record. A follow-up raw print job can therefore make the server execute an attacker-chosen existing binary such as /usr/bin/vim as lp. At time of publication, there are no publicly available patches.
Source : NV
Wiz
CVE-2026-34979 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.8
CVE-2026-34979 [MEDIUM] CVE-2026-34979 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34979 :
OpenPrinting CUPS vulnerability analysis and mitigation
OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, there is a heap-based buffer overflow in the CUPS scheduler when building filter option strings from job attribute. At time of publication, there are no publicly available patches.
Source : NVD
## 5.3
Score
Published April 3, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
OpenPrinting CUPS
Linux Red Hat
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cups-filesystem
cups-libs
Sources
NVD
Debia
Wiz
CVE-2026-34990 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-34990 [MEDIUM] CVE-2026-34990 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34990 :
OpenPrinting CUPS vulnerability analysis and mitigation
OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, a local unprivileged user can coerce cupsd into authenticating to an attacker-controlled localhost IPP service with a reusable Authorization: Local ... token. That token is enough to drive /admin/ requests on localhost, and the attacker can combine CUPS-Create-Local-Printer with printer-is-shared=true to persist a file:///... queue even though the normal FileDevice policy rejects such URIs. Printing to that queue gives an arbitrary root file overwrite; the PoC below uses that primitive to drop a sudoers fragment and demonstrate root command execution. At time of publication, there are
Wiz
CVE-2026-27447 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.8
CVE-2026-27447 [MEDIUM] CVE-2026-27447 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27447 :
OpenPrinting CUPS vulnerability analysis and mitigation
OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, CUPS daemon (cupsd) contains an authorization bypass vulnerability due to case-insensitive username comparison during authorization checks. The vulnerability allows an unprivileged user to gain unauthorized access to restricted operations by using a user with a username that differs only in case from an authorized user. At time of publication, there are no publicly available patches.
Source : NVD
## 4.8
Score
Published April 3, 2026
Severity MEDIUM
CNA Score 4.8
Affected Technologies
OpenPrinting CUPS
Linux Red Hat
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV R
Wiz
CVE-2026-34978 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-34978 [MEDIUM] CVE-2026-34978 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34978 :
OpenPrinting CUPS vulnerability analysis and mitigation
OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, the RSS notifier allows .. path traversal in notify-recipient-uri (e.g., rss:///../job.cache), letting a remote IPP client write RSS XML bytes outside CacheDir/rss (anywhere that is lp-writable). In particular, because CacheDir is group-writable by default (typically root:lp and mode 0770), the notifier (running as lp) can replace root-managed state files via temp-file + rename(). This PoC clobbers CacheDir/job.cache with RSS XML, and after restarting cupsd the scheduler fails to parse the job cache and previously queued jobs disappear. At time of publication, there are no publicly av
Bugzilla
CVE-2026-34978 cups: OpenPrinting CUPS: Denial of Service via path traversal in RSS notifier [fedora-all]
bugzilla·2026-04-03·CVSS 6.5
CVE-2026-34978 [MEDIUM] CVE-2026-34978 cups: OpenPrinting CUPS: Denial of Service via path traversal in RSS notifier [fedora-all]
CVE-2026-34978 cups: OpenPrinting CUPS: Denial of Service via path traversal in RSS notifier [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
FEDORA-2026-7d1173fd68 (cups-2.4.17-1.fc45) has been submitted as an update to Fedora 45.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-7d1173fd68
---
FEDORA-2026-bce5853e95 (cups-2.4.17-1.fc44) has been submitted as an update to Fedora 44.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-bce5853e95
---
FEDORA-2026-82a2214b53 (cups-2.4.17-1.fc43) has been submitted as an update to Fedora 43.
https://bodhi.fedoraproject.org/updates/FEDORA-
2026-04-03
Published