Main Vulnerability Database Vulnerabilities #VU124811

#VU124811 Improper input validation in cups - CVE-2026-34990

Published: April 2, 2026 / Updated: April 17, 2026

Vulnerability identifier: #VU124811

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-34990

CWE-ID: CWE-20

Exploitation vector: Local access

Exploit availability: No public exploit available

Vulnerable software:
cups

Software vendor:
OpenPrinting

Description

The vulnerability allows a local user to execute arbitrary code with root privileges.

The vulnerability exists due to improper access control in CUPS when processing IPP requests for creating local printers. A local user can send a specially crafted IPP request to create a temporary printer with a file:// URI and then promote it to a shared printer, bypassing device restrictions and causing the system to write arbitrary files as root. This can lead to arbitrary code execution with root privileges.

The attacker must have the ability to send requests to localhost:631 and bind to a local port. The attack involves a race condition during printer validation, which may require multiple attempts to succeed.

Remediation

Install security update from vendor's website.

External links

https://github.com/OpenPrinting/cups/security/advisories/GHSA-c54j-2vqw-wpwp

#VU124811 Improper input validation in cups - CVE-2026-34990

Description

Remediation

External links

Please verify you're human