SB2026052033 - Anolis OS update for cups

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2026052033

SB2026052033 - Anolis OS update for cups

Published: May 20, 2026

Security Bulletin ID SB2026052033
CSH Severity
High
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

High 33% Medium 67%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 vulnerabilities.


1) Improper input validation (CVE-ID: CVE-2026-34978)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to overwrite arbitrary files within the CUPS CacheDir, including critical state files such as job.cache.

The vulnerability exists due to improper path validation in the RSS notifier component when processing attacker-controlled notify-recipient-uri values in IPP subscription requests. A remote attacker can send a specially crafted IPP request with a notify-recipient-uri containing directory traversal sequences (e.g., "rss:///../job.cache") to overwrite files outside the intended CacheDir/rss directory, leading to integrity and availability impacts.

The vulnerability specifically affects systems where the RSS notifier is enabled and untrusted clients can submit IPP Print-Job or Create-Printer-Subscription requests with subscription attributes. The default configuration with group-writable CacheDir (root:lp, 0770) enables overwriting of root-managed files via atomic rename operations performed by the lp-running notifier.


2) Heap-based buffer overflow (CVE-ID: CVE-2026-34979)

CWE-ID: CWE-122 - Heap-based Buffer Overflow

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper input validation in the CUPS scheduler when processing IPP job attributes. A remote attacker can send a specially crafted IPP request with large URI attributes to trigger a heap-based buffer overflow in the `get_options()` function, leading to memory corruption and a crash of the `cupsd` service.

The vulnerability specifically arises because the size calculation for the options string uses `ipp_length()`, which excludes URI attributes, but the serialization process still writes URI attributes such as `job-uuid` and `job-authorization-uri` without bounds checking.


3) Improper input validation (CVE-ID: CVE-2026-34980)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to improper input validation in CUPS PostScript queue processing when handling Print-Job requests with crafted page-border attributes. A remote attacker can send a specially crafted Print-Job request containing a newline-injected page-border value to cause a PPD configuration injection, leading to arbitrary filter execution as the lp user.

The affected system must have a shared PostScript queue enabled and be exposed to the network. The attacker does not require authentication or prior privileges.


Remediation

Install update from vendor's website.

References