Main Vulnerability Database Vulnerabilities #VU124811

Improper input validation in cups - CVE-2026-34990

Published: April 2, 2026 / Updated: April 17, 2026

Vulnerability identifier: #VU124811

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-34990

CWE-ID: CWE-20

Exploitation vector: Local access

Exploit availability: No public exploit available

Vendor: OpenPrinting

Affected software:
cups

Detailed vulnerability description

The vulnerability allows a local user to execute arbitrary code with root privileges.

The vulnerability exists due to improper access control in CUPS when processing IPP requests for creating local printers. A local user can send a specially crafted IPP request to create a temporary printer with a file:// URI and then promote it to a shared printer, bypassing device restrictions and causing the system to write arbitrary files as root. This can lead to arbitrary code execution with root privileges.

The attacker must have the ability to send requests to localhost:631 and bind to a local port. The attack involves a race condition during printer validation, which may require multiple attempts to succeed.

How to mitigate CVE-2026-34990

Install security update from vendor's website.

Sources

https://github.com/OpenPrinting/cups/security/advisories/GHSA-c54j-2vqw-wpwp

Improper input validation in cups - CVE-2026-34990

Detailed vulnerability description

How to mitigate CVE-2026-34990

Sources

Please verify you're human