SB2026061742 - Multiple vulnerabilities in cups

Description

This security bulletin contains information about 3 vulnerabilities.

1) Improper Neutralization of Special Elements in Output Used by a Downstream Component (CVE-ID: CVE-2026-55453)

CWE-ID: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to improper neutralization of special elements in output used by a downstream component in the CUPS ipp backend status reporting path and scheduler PPD update handling when processing text printer-status attributes from a remote IPP printer. A remote attacker can return a crafted printer-status attribute containing injected newline characters and a forged PPD status line to execute arbitrary code.

Successful exploitation requires a CUPS queue that points to an attacker-controlled or compromised IPP printer, a Foomatic-backed PPD or filter profile that invokes foomatic-rip, and a later print job that uses the modified PPD. The demonstrated code execution occurs as user lp.

2) CRLF injection (CVE-ID: CVE-2026-55467)

CWE-ID: CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to improper neutralization of CRLF sequences in cupsdCreateJob option-string builder in scheduler/job.c when processing fax queue job attributes from the destination-uris collection. A remote user can submit a crafted print job with malicious destination-uri or pre-dial-string values to execute arbitrary code.

Exploitation requires a configured FAX-type queue. Where the downstream fax filter does not pass these values into a shell or modem command context, the realized impact is limited to injection into the filter option stream.

3) Link following (CVE-ID: CVE-2026-55480)

CWE-ID: CWE-59 - Improper Link Resolution Before File Access ('Link Following')

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local privileged user to overwrite arbitrary root-owned files and escalate privileges.

The vulnerability exists due to improper link resolution before file access in copy_model() in scheduler/ipp.c when creating a predictable temporary PPD file in a group-writable temporary directory. A local privileged user can pre-create a symlink at the predicted tempfile path to overwrite arbitrary root-owned files and escalate privileges.

The issue depends on a predictable tempfile name derived from the sequential client connection identifier, and exploitation targets the add or modify printer code path.

Remediation

Install update from vendor's website.

References

• https://github.com/OpenPrinting/cups/security/advisories/GHSA-7hqf-mfhx-7r3v
• https://github.com/OpenPrinting/cups/security/advisories/GHSA-69qc-prxg-h2c7
• https://github.com/OpenPrinting/cups
• https://github.com/OpenPrinting/cups/security/advisories/GHSA-jj94-x3qh-ffp9