Main Vulnerability Database Vulnerabilities #VU124815

#VU124815 Improper input validation in cups - CVE-2026-34978

Published: April 2, 2026

Vulnerability identifier: #VU124815

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-34978

CWE-ID: CWE-20

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
cups

Software vendor:
OpenPrinting

Description

The vulnerability allows a remote attacker to overwrite arbitrary files within the CUPS CacheDir, including critical state files such as job.cache.

The vulnerability exists due to improper path validation in the RSS notifier component when processing attacker-controlled notify-recipient-uri values in IPP subscription requests. A remote attacker can send a specially crafted IPP request with a notify-recipient-uri containing directory traversal sequences (e.g., "rss:///../job.cache") to overwrite files outside the intended CacheDir/rss directory, leading to integrity and availability impacts.

The vulnerability specifically affects systems where the RSS notifier is enabled and untrusted clients can submit IPP Print-Job or Create-Printer-Subscription requests with subscription attributes. The default configuration with group-writable CacheDir (root:lp, 0770) enables overwriting of root-managed files via atomic rename operations performed by the lp-running notifier.

Remediation

Install security update from vendor's website.

External links

https://github.com/OpenPrinting/cups/security/advisories/GHSA-f53q-7mxp-9gcr

#VU124815 Improper input validation in cups - CVE-2026-34978

Description

Remediation

External links

Please verify you're human