CVE-2026-34980
published 2026-04-03CVE-2026-34980: OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, in a network-exposed cupsd…
PriorityP346high7.5CVSS 3.1
AVAACHPRNUINSUCHIHAH
EPSS
0.50%
39.1th percentile
OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, in a network-exposed cupsd with a shared target queue, an unauthorized client can send a Print-Job to that shared PostScript queue without authentication. The server accepts a page-border value supplied as textWithoutLanguage, preserves an embedded newline through option escaping and reparse, and then reparses the resulting second-line PPD: text as a trusted scheduler control record. A follow-up raw print job can therefore make the server execute an attacker-chosen existing binary such as /usr/bin/vim as lp. At time of publication, there are no publicly available patches.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | cups | — | — |
| msrc | azl3_cups_2.4.16-1_on_azure_linux_3.0 | — | — |
| msrc | cbl2_cups_2.3.3op2-11_on_cbl_mariner_2.0 | — | — |
| openprinting | cups | <= 2.4.16 | — |
| ubuntu | cups | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.06.1MEDIUMCVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv6.1MEDIUM
vendor_ubuntu6.3MEDIUM
vendor_debian6.1MEDIUM
vendor_msrc6.1MEDIUM
vendor_redhat6.1MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
CUPS regression
vendor_ubuntu·2026-06-15·CVSS 6.3
CVE-2026-27447 [MEDIUM] CUPS regression
Title: CUPS regression
Summary: USN-8405-1 introduced a regression in CUPS
USN-8405-1 fixed vulnerabilities in CUPS. The update introduced a
regression that cause CUPS to crash when parsing certain large printer PPD
files. This update fixes the problem.
Original advisory details:
Ariel Silver discovered that CUPS incorrectly handled username comparisons
during authorization checks. A local attacker could possibly use this issue
to gain unauthorized access to restricted operations. (CVE-2026-27447)
Asim Viladi Oglu Manizada discovered that CUPS incorrectly handled
notify-recipient-uri values in the RSS notifier. A remote attacker could
possibly use this issue to overwrite lp-writable files and cause a denial
of service. (CVE-2026-34978)
Jacob Newman discovered that CUPS incorrectly ha
Ubuntu
CUPS vulnerabilities
vendor_ubuntu·2026-06-08·CVSS 6.3
CVE-2026-41079 [MEDIUM] CUPS vulnerabilities
Title: CUPS vulnerabilities
Summary: Several security issues were fixed in CUPS.
Ariel Silver discovered that CUPS incorrectly handled username comparisons
during authorization checks. A local attacker could possibly use this issue
to gain unauthorized access to restricted operations. (CVE-2026-27447)
Asim Viladi Oglu Manizada discovered that CUPS incorrectly handled
notify-recipient-uri values in the RSS notifier. A remote attacker could
possibly use this issue to overwrite lp-writable files and cause a denial
of service. (CVE-2026-34978)
Jacob Newman discovered that CUPS incorrectly handled filter option strings
when processing job attributes. An attacker could use this issue to cause
CUPS to crash, resulting in a denial of service, or possibly execute
arbitrary code. (CVE-2026-34979
Red Hat
cups: OpenPrinting CUPS: Shared PostScript queue lets anonymous Print-Job requests reach `lp` code execution over the network
vendor_redhat·2026-04-03·CVSS 6.1
CVE-2026-34980 [MEDIUM] CWE-78 cups: OpenPrinting CUPS: Shared PostScript queue lets anonymous Print-Job requests reach `lp` code execution over the network
cups: OpenPrinting CUPS: Shared PostScript queue lets anonymous Print-Job requests reach `lp` code execution over the network
OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, in a network-exposed cupsd with a shared target queue, an unauthorized client can send a Print-Job to that shared PostScript queue without authentication. The server accepts a page-border value supplied as textWithoutLanguage, preserves an embedded newline through option escaping and reparse, and then reparses the resulting second-line PPD: text as a trusted scheduler control record. A follow-up raw print job can therefore make the server execute an attacker-chosen existing binary such as /usr/bin/vim as lp. At time of publication, ther
Microsoft
OpenPrinting CUPS: Shared PostScript queue lets anonymous Print-Job requests reach `lp` code execution over the network
vendor_msrc·2026-04-02·CVSS 6.1
CVE-2026-34980 [MEDIUM] CWE-20 OpenPrinting CUPS: Shared PostScript queue lets anonymous Print-Job requests reach `lp` code execution over the network
OpenPrinting CUPS: Shared PostScript queue lets anonymous Print-Job requests reach `lp` code execution over the network
Mariner: Mariner
GitHub_M: GitHub_M
Customer Action Required: Yes
Debian
CVE-2026-34980: cups - OpenPrinting CUPS is an open source printing system for Linux and other Unix-lik...
vendor_debian·2026·CVSS 6.1
CVE-2026-34980 [MEDIUM] CVE-2026-34980: cups - OpenPrinting CUPS is an open source printing system for Linux and other Unix-lik...
OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, in a network-exposed cupsd with a shared target queue, an unauthorized client can send a Print-Job to that shared PostScript queue without authentication. The server accepts a page-border value supplied as textWithoutLanguage, preserves an embedded newline through option escaping and reparse, and then reparses the resulting second-line PPD: text as a trusted scheduler control record. A follow-up raw print job can therefore make the server execute an attacker-chosen existing binary such as /usr/bin/vim as lp. At time of publication, there are no publicly available patches.
Scope: local
bookworm: open
bullseye: open
forky: open
sid: open
trixie: open
OSV
CVE-2026-34980: OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems
osv·2026-04-03·CVSS 6.1
CVE-2026-34980 [MEDIUM] CVE-2026-34980: OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems
OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, in a network-exposed cupsd with a shared target queue, an unauthorized client can send a Print-Job to that shared PostScript queue without authentication. The server accepts a page-border value supplied as textWithoutLanguage, preserves an embedded newline through option escaping and reparse, and then reparses the resulting second-line PPD: text as a trusted scheduler control record. A follow-up raw print job can therefore make the server execute an attacker-chosen existing binary such as /usr/bin/vim as lp. At time of publication, there are no publicly available patches.
No detection rules found.
No public exploits indexed.
Hackernews
⚡ Weekly Recap: Axios Hack, Chrome 0-Day, Fortinet Exploits, Paragon Spyware and More
blogs_hackernews·2026-04-06
⚡ Weekly Recap: Axios Hack, Chrome 0-Day, Fortinet Exploits, Paragon Spyware and More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: Axios Hack, Chrome 0-Day, Fortinet Exploits, Paragon Spyware and More
This week had real hits. The key software got tampered with. Active bugs showed up in the tools people use every day. Some attacks didn’t even need much effort because the path was already there.
One weak spot now spreads wider than before. What starts small can reach a lot of systems fast. New bugs, faster use, less time to react.
That’s this week. Read through it.
## ⚡ Threat of the Week
Axios npm Package Compromised by N. Korean Hackers —Threat actors with ties to North Korea seized control of the npm account belonging to the lead m
Wiz
CVE-2026-34980 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-34980 [MEDIUM] CVE-2026-34980 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34980 :
OpenPrinting CUPS vulnerability analysis and mitigation
OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, in a network-exposed cupsd with a shared target queue, an unauthorized client can send a Print-Job to that shared PostScript queue without authentication. The server accepts a page-border value supplied as textWithoutLanguage, preserves an embedded newline through option escaping and reparse, and then reparses the resulting second-line PPD: text as a trusted scheduler control record. A follow-up raw print job can therefore make the server execute an attacker-chosen existing binary such as /usr/bin/vim as lp. At time of publication, there are no publicly available patches.
Source : NV
Wiz
CVE-2026-34979 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.8
CVE-2026-34979 [MEDIUM] CVE-2026-34979 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34979 :
OpenPrinting CUPS vulnerability analysis and mitigation
OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, there is a heap-based buffer overflow in the CUPS scheduler when building filter option strings from job attribute. At time of publication, there are no publicly available patches.
Source : NVD
## 5.3
Score
Published April 3, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
OpenPrinting CUPS
Linux Red Hat
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cups-filesystem
cups-libs
Sources
NVD
Debia
Wiz
CVE-2026-39316 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-39316 [MEDIUM] CVE-2026-39316 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-39316 :
OpenPrinting CUPS vulnerability analysis and mitigation
OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, a use-after-free vulnerability exists in the CUPS scheduler (cupsd) when temporary printers are automatically deleted. cupsdDeleteTemporaryPrinters() in scheduler/printers.c calls cupsdDeletePrinter() without first expiring subscriptions that reference the printer, leaving cupsd_subscription_t.dest as a dangling pointer to freed heap memory. The dangling pointer is subsequently dereferenced at multiple code sites, causing a crash (denial of service) of the cupsd daemon. With heap grooming, this can be leveraged for code execution.
Source : NVD
## 4
Score
Published April 7, 2026
Wiz
CVE-2026-34990 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-34990 [MEDIUM] CVE-2026-34990 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34990 :
OpenPrinting CUPS vulnerability analysis and mitigation
OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, a local unprivileged user can coerce cupsd into authenticating to an attacker-controlled localhost IPP service with a reusable Authorization: Local ... token. That token is enough to drive /admin/ requests on localhost, and the attacker can combine CUPS-Create-Local-Printer with printer-is-shared=true to persist a file:///... queue even though the normal FileDevice policy rejects such URIs. Printing to that queue gives an arbitrary root file overwrite; the PoC below uses that primitive to drop a sudoers fragment and demonstrate root command execution. At time of publication, there are
Wiz
CVE-2026-27447 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.8
CVE-2026-27447 [MEDIUM] CVE-2026-27447 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27447 :
OpenPrinting CUPS vulnerability analysis and mitigation
OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, CUPS daemon (cupsd) contains an authorization bypass vulnerability due to case-insensitive username comparison during authorization checks. The vulnerability allows an unprivileged user to gain unauthorized access to restricted operations by using a user with a username that differs only in case from an authorized user. At time of publication, there are no publicly available patches.
Source : NVD
## 4.8
Score
Published April 3, 2026
Severity MEDIUM
CNA Score 4.8
Affected Technologies
OpenPrinting CUPS
Linux Red Hat
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV R
Wiz
CVE-2026-39314 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-39314 [MEDIUM] CVE-2026-39314 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-39314 :
OpenPrinting CUPS vulnerability analysis and mitigation
OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, an integer underflow vulnerability in _ppdCreateFromIPP() (cups/ppd-cache.c) allows any unprivileged local user to crash the cupsd root process by supplying a negative job-password-supported IPP attribute. The bounds check only caps the upper bound, so a negative value passes validation, is cast to size_t (wrapping to ~2^64), and is used as the length argument to memset() on a 33-byte stack buffer. This causes an immediate SIGSEGV in the cupsd root process. Combined with systemd's Restart=on-failure, an attacker can repeat the crash for sustained denial of service.
Source : NVD
##
Wiz
CVE-2026-34978 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-34978 [MEDIUM] CVE-2026-34978 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34978 :
OpenPrinting CUPS vulnerability analysis and mitigation
OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, the RSS notifier allows .. path traversal in notify-recipient-uri (e.g., rss:///../job.cache), letting a remote IPP client write RSS XML bytes outside CacheDir/rss (anywhere that is lp-writable). In particular, because CacheDir is group-writable by default (typically root:lp and mode 0770), the notifier (running as lp) can replace root-managed state files via temp-file + rename(). This PoC clobbers CacheDir/job.cache with RSS XML, and after restarting cupsd the scheduler fails to parse the job cache and previously queued jobs disappear. At time of publication, there are no publicly av
Bugzilla
CVE-2026-34980 cups: OpenPrinting CUPS: Shared PostScript queue lets anonymous Print-Job requests reach `lp` code execution over the network
bugzilla·2026-04-03·CVSS 6.1
CVE-2026-34980 [MEDIUM] CVE-2026-34980 cups: OpenPrinting CUPS: Shared PostScript queue lets anonymous Print-Job requests reach `lp` code execution over the network
CVE-2026-34980 cups: OpenPrinting CUPS: Shared PostScript queue lets anonymous Print-Job requests reach `lp` code execution over the network
OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, in a network-exposed cupsd with a shared target queue, an unauthorized client can send a Print-Job to that shared PostScript queue without authentication. The server accepts a page-border value supplied as textWithoutLanguage, preserves an embedded newline through option escaping and reparse, and then reparses the resulting second-line PPD: text as a trusted scheduler control record. A follow-up raw print job can therefore make the server execute an attacker-chosen existing binary such as /usr/bin/vim as lp. At time of pu
Bugzilla
CVE-2026-34980 cups: OpenPrinting CUPS: Shared PostScript queue lets anonymous Print-Job requests reach `lp` code execution over the network [fedora-all]
bugzilla·2026-04-03·CVSS 6.1
CVE-2026-34980 [MEDIUM] CVE-2026-34980 cups: OpenPrinting CUPS: Shared PostScript queue lets anonymous Print-Job requests reach `lp` code execution over the network [fedora-all]
CVE-2026-34980 cups: OpenPrinting CUPS: Shared PostScript queue lets anonymous Print-Job requests reach `lp` code execution over the network [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
FEDORA-2026-bce5853e95 (cups-2.4.17-1.fc44) has been submitted as an update to Fedora 44.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-bce5853e95
---
FEDORA-2026-82a2214b53 (cups-2.4.17-1.fc43) has been submitted as an update to Fedora 43.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-82a2214b53
---
FEDORA-2026-34454fdb74 (cups-2.4.17-1.fc42) has been submitted as an update to Fedora 42.
2026-04-03
Published