Description
There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:
- OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In
versions 2.4.16 and prior, CUPS daemon (cupsd) contains an authorization bypass vulnerability due to case-
insensitive username comparison during authorization checks. The vulnerability allows an unprivileged user
to gain unauthorized access to restricted operations by using a user with a username that differs only in
case from an authorized user. At time of publication, there are no publicly available patches.
(CVE-2026-27447)
- OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In
versions 2.4.16 and prior, the RSS notifier allows .. path traversal in notify-recipient-uri (e.g.,
rss:///../job.cache), letting a remote IPP client write RSS XML bytes outside CacheDir/rss (anywhere that
is lp-writable). In particular, because CacheDir is group-writable by default (typically root:lp and mode
0770), the notifier (running as lp) can replace root-managed state files via temp-file + rename(). This
PoC clobbers CacheDir/job.cache with RSS XML, and after restarting cupsd the scheduler fails to parse the
job cache and previously queued jobs disappear. At time of publication, there are no publicly available
patches. (CVE-2026-34978)
- OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In
versions 2.4.16 and prior, there is a heap-based buffer overflow in the CUPS scheduler when building
filter option strings from job attribute. At time of publication, there are no publicly available patches.
(CVE-2026-34979)
- OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In
versions 2.4.16 and prior, in a network-exposed cupsd with a shared target queue, an unauthorized client
can send a Print-Job to that shared PostScript queue without authentication. The server accepts a page-
border value supplied as textWithoutLanguage, preserves an embedded newline through option escaping and
reparse, and then reparses the resulting second-line PPD: text as a trusted scheduler control record. A
follow-up raw print job can therefore make the server execute an attacker-chosen existing binary such as
/usr/bin/vim as lp. At time of publication, there are no publicly available patches. (CVE-2026-34980)
Solution
Update the cups library and its related packages to version 2.4.18-r0 or later.
Plugin Details
Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security
Risk Information
Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:P/A:N
Vector: CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C
Threat Vector: CVSS:4.0/E:P
Vector: CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N
Vulnerability Information
Exploit Ease: Exploits are available
Vulnerability Publication Date: 4/3/2026
Exploitable With
Core Impact