SB20260424301 - SUSE update for cups
Published: April 24, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Improper input validation (CVE-ID: CVE-2026-34980)
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to improper input validation in CUPS PostScript queue processing when handling Print-Job requests with crafted page-border attributes. A remote attacker can send a specially crafted Print-Job request containing a newline-injected page-border value to cause a PPD configuration injection, leading to arbitrary filter execution as the lp user.
The affected system must have a shared PostScript queue enabled and be exposed to the network. The attacker does not require authentication or prior privileges.
2) Improper input validation (CVE-ID: CVE-2026-34990)
The vulnerability allows a local user to execute arbitrary code with root privileges.
The vulnerability exists due to improper access control in CUPS when processing IPP requests for creating local printers. A local user can send a specially crafted IPP request to create a temporary printer with a file:// URI and then promote it to a shared printer, bypassing device restrictions and causing the system to write arbitrary files as root. This can lead to arbitrary code execution with root privileges.
The attacker must have the ability to send requests to localhost:631 and bind to a local port. The attack involves a race condition during printer validation, which may require multiple attempts to succeed.
Remediation
Install update from vendor's website.