Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <c7faf33c-7843-4569-89fc-279484c526dc@oracle.com>
Date: Tue, 7 Apr 2026 17:50:12 -0700
From: Alan Coopersmith <alan.coopersmith@...cle.com>
To: oss-security@...ts.openwall.com
Subject: Multiple CVEs disclosed in CUPS

https://heyitsas.im/posts/cups/ discloses:

> 1. CVE-2026-34980: Shared PostScript queue lets anonymous Print-Job requests
>         reach lp code execution over the network
> 
> 2. CVE-2026-34990: Local print admin token disclosure using temporary printers
> 
> At a high level, in the first vulnerability, the attacker:
> 
>  1. Submits a malicious print job to a shared PostScript queue,
>  2. Gets CUPS to treat attacker-controlled text as a trusted queue config by
>     abusing a parsing bug, and
>  3. Gets code execution as the CUPS service user, lp (vim in the PoC)
> 
> And in the second vulnerability, the attacker:
> 
>  1. Uses any* unprivileged local user to set up a localhost listener,
>  2. Creates a local printer object in CUPS, pointing it at the listener above,
>  3. Gets CUPS to authenticate to it and captures the auth token,
>  4. Creates another queue pointing at file:///... for the target rootful write,
>  5. Uses the token to race against CUPS validation logic’s cleanup of the
>     dangerous queue, and
>  6. Writes what they want into the target file:///... (/etc/sudoers.d/... in
>     the PoC)
> 
> * any unprivileged local user that can bind on some TCP port and reach the
>   local CUPS listener.
> 
> Are you affected? + Mitigation
> 
> The unauth’d RCE as lp (CVE-2026-34980) requires the CUPS server to be
> reachable over the network and expose a shared PostScript queue (these are
> legacy, but still used). This would be a deliberate config choice – realistic
> for, say, networked printing servers in your corporate environment, but not
> for your desktop (unless you for some reason set it up to be a remote printing
> server).
> 
> The LPE to root file (over)write (CVE-2026-34990), on the other hand, works
> on the stock CUPS config.
> 
> For both issues, the harm can be limited by a security module that confines
> CUPS (e.g., SELinux, AppArmor, etc.). So, if you run CUPS under a sane
> security policy (default on some distributions), the impact of both
> vulnerabilities is much less severe – e.g., no rootful file writes outside 
> the paths CUPS is constrained to touch.
> 
> As of 4/5/2026, there are public commits with fixes to both issues but no
> fixed release (latest being 2.4.16). So, your best mitigations are:
> 
>  * Do not expose CUPS over the network with a shared PostScript queue – or at all
>  * If you must use a shared queue, require auth for job submissions to that queue
>  * Make sure your CUPS runs under a reasonable AppArmor/SELinux/etc. policy,
>    so that the impact is minimized even if you are targeted

Further details, including about how the bugs were found and the PoC can be
found in the blog post at https://heyitsas.im/posts/cups/ and the article at
https://www.theregister.com/2026/04/06/ai_agents_cups_server_rce/

The CUPS maintainers have published advisories for the above at:

  CVE-2026-34980:
    https://github.com/OpenPrinting/cups/security/advisories/GHSA-4852-v58g-6cwf

  CVE-2026-34990:
    https://github.com/OpenPrinting/cups/security/advisories/GHSA-c54j-2vqw-wpwp

Additionally, in the past week they've also published advisories for:

  CVE-2026-27447: Authorization bypass via case-insensitive group-member lookup
    https://github.com/OpenPrinting/cups/security/advisories/GHSA-v987-m8hp-phj9

  CVE-2026-34978: Path traversal in RSS notify-recipient-uri enables file write
    outside CacheDir/rss (and clobbering of job.cache)
    https://github.com/OpenPrinting/cups/security/advisories/GHSA-f53q-7mxp-9gcr

  CVE-2026-34979: Heap overflow in `get_options()`
    https://github.com/OpenPrinting/cups/security/advisories/GHSA-6qxf-7jx6-86fh

  CVE-2026-39314: Integer underflow in `_ppdCreateFromIPP` causes root cupsd
    crash via negative `job-password-supported`
    https://github.com/OpenPrinting/cups/security/advisories/GHSA-pp8w-2g52-7vj7

  CVE-2026-39316: Use-after-free in `cupsdDeleteTemporaryPrinters` via dangling
    subscription pointer
    https://github.com/OpenPrinting/cups/security/advisories/GHSA-pjv5-prqp-46rg

  <no CVE>: Out-of-bounds heap read in cupsdSetPrinterAttr marker-types parsing
    https://github.com/OpenPrinting/cups/security/advisories/GHSA-qfp8-9frx-5j48

-- 
         -Alan Coopersmith-                 alan.coopersmith@...cle.com
          Oracle Solaris Engineering - https://blogs.oracle.com/solaris

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.