SB2026052769 - SUSE update for cups
Published: May 27, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 8 vulnerabilities.
1) Incorrect authorization (CVE-ID: CVE-2026-27447)
CWE-ID: CWE-863 - Incorrect Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to gain unauthorized access to restricted operations.
The vulnerability exists due to improper access control in the CUPS daemon (cupsd) when performing authorization checks. A remote privileged user can exploit case-insensitive username comparison during group-member lookup to gain unauthorized access to restricted operations.
User interaction is required to exploit this vulnerability.
2) Improper input validation (CVE-ID: CVE-2026-34978)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to overwrite arbitrary files within the CUPS CacheDir, including critical state files such as job.cache.
The vulnerability exists due to improper path validation in the RSS notifier component when processing attacker-controlled notify-recipient-uri values in IPP subscription requests. A remote attacker can send a specially crafted IPP request with a notify-recipient-uri containing directory traversal sequences (e.g., "rss:///../job.cache") to overwrite files outside the intended CacheDir/rss directory, leading to integrity and availability impacts.
The vulnerability specifically affects systems where the RSS notifier is enabled and untrusted clients can submit IPP Print-Job or Create-Printer-Subscription requests with subscription attributes. The default configuration with group-writable CacheDir (root:lp, 0770) enables overwriting of root-managed files via atomic rename operations performed by the lp-running notifier.
3) Heap-based buffer overflow (CVE-ID: CVE-2026-34979)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper input validation in the CUPS scheduler when processing IPP job attributes. A remote attacker can send a specially crafted IPP request with large URI attributes to trigger a heap-based buffer overflow in the `get_options()` function, leading to memory corruption and a crash of the `cupsd` service.
The vulnerability specifically arises because the size calculation for the options string uses `ipp_length()`, which excludes URI attributes, but the serialization process still writes URI attributes such as `job-uuid` and `job-authorization-uri` without bounds checking.
4) Improper input validation (CVE-ID: CVE-2026-34980)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to improper input validation in CUPS PostScript queue processing when handling Print-Job requests with crafted page-border attributes. A remote attacker can send a specially crafted Print-Job request containing a newline-injected page-border value to cause a PPD configuration injection, leading to arbitrary filter execution as the lp user.
The affected system must have a shared PostScript queue enabled and be exposed to the network. The attacker does not require authentication or prior privileges.
5) Improper input validation (CVE-ID: CVE-2026-34990)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to execute arbitrary code with root privileges.
The vulnerability exists due to improper access control in CUPS when processing IPP requests for creating local printers. A local user can send a specially crafted IPP request to create a temporary printer with a file:// URI and then promote it to a shared printer, bypassing device restrictions and causing the system to write arbitrary files as root. This can lead to arbitrary code execution with root privileges.
The attacker must have the ability to send requests to localhost:631 and bind to a local port. The attack involves a race condition during printer validation, which may require multiple attempts to succeed.
6) Integer underflow (CVE-ID: CVE-2026-39314)
CWE-ID: CWE-191 - Integer underflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to integer underflow in _ppdCreateFromIPP() in cups/ppd-cache.c when processing a negative job-password-supported IPP attribute. A local user can supply a crafted IPP response to cause a denial of service.
Exploitation involves creating a local printer that points to a fake IPP printer on localhost, causing the cupsd root process to crash.
7) Use-after-free (CVE-ID: CVE-2026-39316)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to use-after-free in cupsdDeleteTemporaryPrinters() in scheduler/printers.c when deleting temporary printers that still have subscriptions referencing them. A local user can create a temporary printer with a subscription and trigger dereference of the dangling subscription pointer to execute arbitrary code.
The dangling pointer is subsequently dereferenced at multiple code sites in the scheduler, and the advisory confirms denial of service with potential code execution through heap grooming.
8) Out-of-bounds read (CVE-ID: CVE-2026-41079)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to out-of-bounds read in the CUPS SNMP backend when processing crafted SNMP responses during supply-level polling. A remote attacker can send a specially crafted SNMP response to disclose sensitive information.
The leaked memory is converted from UTF-16 to UTF-8 and becomes visible to authenticated users via IPP Get-Printer-Attributes responses and the CUPS web interface. Exploitation requires an SNMP-discovered printer on the same LAN segment.
Remediation
Install update from vendor's website.