Alpine: ipptool, multiple cups packages: security update to 2.4.18-r0

medium Tenable Self-Hosted Container Security Plugin ID 440960

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In
versions 2.4.16 and prior, CUPS daemon (cupsd) contains an authorization bypass vulnerability due to case-
insensitive username comparison during authorization checks. The vulnerability allows an unprivileged user
to gain unauthorized access to restricted operations by using a user with a username that differs only in
case from an authorized user. At time of publication, there are no publicly available patches.
(CVE-2026-27447)

- OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In
versions 2.4.16 and prior, the RSS notifier allows .. path traversal in notify-recipient-uri (e.g.,
rss:///../job.cache), letting a remote IPP client write RSS XML bytes outside CacheDir/rss (anywhere that
is lp-writable). In particular, because CacheDir is group-writable by default (typically root:lp and mode
0770), the notifier (running as lp) can replace root-managed state files via temp-file + rename(). This
PoC clobbers CacheDir/job.cache with RSS XML, and after restarting cupsd the scheduler fails to parse the
job cache and previously queued jobs disappear. At time of publication, there are no publicly available
patches. (CVE-2026-34978)

- OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In
versions 2.4.16 and prior, there is a heap-based buffer overflow in the CUPS scheduler when building
filter option strings from job attribute. At time of publication, there are no publicly available patches.
(CVE-2026-34979)

- OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In
versions 2.4.16 and prior, in a network-exposed cupsd with a shared target queue, an unauthorized client
can send a Print-Job to that shared PostScript queue without authentication. The server accepts a page-
border value supplied as textWithoutLanguage, preserves an embedded newline through option escaping and
reparse, and then reparses the resulting second-line PPD: text as a trusted scheduler control record. A
follow-up raw print job can therefore make the server execute an attacker-chosen existing binary such as
/usr/bin/vim as lp. At time of publication, there are no publicly available patches. (CVE-2026-34980)

Solution

Update the cups library and its related packages to version 2.4.18-r0 or later.

See Also

https://security.alpinelinux.org/vuln/CVE-2026-27447

https://security.alpinelinux.org/vuln/CVE-2026-34978

https://security.alpinelinux.org/vuln/CVE-2026-34979

https://security.alpinelinux.org/vuln/CVE-2026-34980

https://security.alpinelinux.org/vuln/CVE-2026-34990

https://security.alpinelinux.org/vuln/CVE-2026-39314

https://security.alpinelinux.org/vuln/CVE-2026-39316

Plugin Details

Severity: Medium

ID: 440960

Version: Revision 1.5

Type: Local

Published: 4/29/2026

Updated: 7/9/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: High

Score: 7.6

Percentile: 98.46

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.2

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:P/A:N

CVSS Score Source: CVE-2026-27447

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 7

Vector: CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

CVSS Score Source: CVE-2026-34980

CVSS v4

Risk Factor: Medium

Base Score: 6.1

Threat Score: 5.6

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N

CVSS Score Source: CVE-2026-34980

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 4/3/2026

Exploitable With

Core Impact

Reference Information

CVE: CVE-2026-27447, CVE-2026-34978, CVE-2026-34979, CVE-2026-34980, CVE-2026-34990, CVE-2026-39314, CVE-2026-39316