CVE-2026-34978

NameCVE-2026-34978
DescriptionOpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, the RSS notifier allows .. path traversal in notify-recipient-uri (e.g., rss:///../job.cache), letting a remote IPP client write RSS XML bytes outside CacheDir/rss (anywhere that is lp-writable). In particular, because CacheDir is group-writable by default (typically root:lp and mode 0770), the notifier (running as lp) can replace root-managed state files via temp-file + rename(). This PoC clobbers CacheDir/job.cache with RSS XML, and after restarting cupsd the scheduler fails to parse the job cache and previously queued jobs disappear. At time of publication, there are no publicly available patches.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1132716

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
cups (PTS)bullseye2.3.3op2-3+deb11u8vulnerable
bullseye (security)2.3.3op2-3+deb11u10vulnerable
bookworm, bookworm (security)2.4.2-3+deb12u9vulnerable
trixie2.4.10-3+deb13u2vulnerable
trixie (security)2.4.10-3+deb13u1vulnerable
forky2.4.16-1vulnerable
sid2.4.17-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
cupssource(unstable)2.4.17-11132716

Notes

[trixie] - cups <no-dsa> (Minor issue)
[bookworm] - cups <no-dsa> (Minor issue)
https://github.com/OpenPrinting/cups/security/advisories/GHSA-f53q-7mxp-9gcr
https://github.com/OpenPrinting/cups/commit/730347c5bbd5e1271149c6739aa858c0c83a7568 (v2.4.17)
Search for package or bug name: Reporting problems