CVE-2026-34978

Name	CVE-2026-34978
Description	OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, the RSS notifier allows .. path traversal in notify-recipient-uri (e.g., rss:///../job.cache), letting a remote IPP client write RSS XML bytes outside CacheDir/rss (anywhere that is lp-writable). In particular, because CacheDir is group-writable by default (typically root:lp and mode 0770), the notifier (running as lp) can replace root-managed state files via temp-file + rename(). This PoC clobbers CacheDir/job.cache with RSS XML, and after restarting cupsd the scheduler fails to parse the job cache and previously queued jobs disappear. At time of publication, there are no publicly available patches.
Source	CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs	1132716

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
cups (PTS)	bullseye	2.3.3op2-3+deb11u8	vulnerable
	bullseye (security)	2.3.3op2-3+deb11u10	vulnerable
	bookworm, bookworm (security)	2.4.2-3+deb12u9	vulnerable
	trixie	2.4.10-3+deb13u2	vulnerable
	trixie (security)	2.4.10-3+deb13u1	vulnerable
	forky, sid	2.4.16-1	vulnerable

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
cups	source	(unstable)	(unfixed)			1132716

Notes

[trixie] - cups <no-dsa> (Minor issue)
[bookworm] - cups <no-dsa> (Minor issue)
https://github.com/OpenPrinting/cups/security/advisories/GHSA-f53q-7mxp-9gcr