SB20260417111 - Fedora 42 update for cups

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB20260417111

SB20260417111 - Fedora 42 update for cups

Published: April 17, 2026

Security Bulletin ID SB20260417111
Severity
Medium
Patch available
YES
Number of vulnerabilities 6
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Medium 33% Low 67%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 6 secuirty vulnerabilities.


1) Use-after-free (CVE-ID: CVE-2026-39316)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to use-after-free in cupsdDeleteTemporaryPrinters() in scheduler/printers.c when deleting temporary printers that still have subscriptions referencing them. A local user can create a temporary printer with a subscription and trigger dereference of the dangling subscription pointer to execute arbitrary code.

The dangling pointer is subsequently dereferenced at multiple code sites in the scheduler, and the advisory confirms denial of service with potential code execution through heap grooming.


2) Integer underflow (CVE-ID: CVE-2026-39314)

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to integer underflow in _ppdCreateFromIPP() in cups/ppd-cache.c when processing a negative job-password-supported IPP attribute. A local user can supply a crafted IPP response to cause a denial of service.

Exploitation involves creating a local printer that points to a fake IPP printer on localhost, causing the cupsd root process to crash.


3) Heap-based buffer overflow (CVE-ID: CVE-2026-34979)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper input validation in the CUPS scheduler when processing IPP job attributes. A remote attacker can send a specially crafted IPP request with large URI attributes to trigger a heap-based buffer overflow in the `get_options()` function, leading to memory corruption and a crash of the `cupsd` service.

The vulnerability specifically arises because the size calculation for the options string uses `ipp_length()`, which excludes URI attributes, but the serialization process still writes URI attributes such as `job-uuid` and `job-authorization-uri` without bounds checking.


4) Improper input validation (CVE-ID: CVE-2026-34990)

The vulnerability allows a local user to execute arbitrary code with root privileges.

The vulnerability exists due to improper access control in CUPS when processing IPP requests for creating local printers. A local user can send a specially crafted IPP request to create a temporary printer with a file:// URI and then promote it to a shared printer, bypassing device restrictions and causing the system to write arbitrary files as root. This can lead to arbitrary code execution with root privileges.

The attacker must have the ability to send requests to localhost:631 and bind to a local port. The attack involves a race condition during printer validation, which may require multiple attempts to succeed.


5) Incorrect authorization (CVE-ID: CVE-2026-27447)

The vulnerability allows a remote user to gain unauthorized access to restricted operations.

The vulnerability exists due to improper access control in the CUPS daemon (cupsd) when performing authorization checks. A remote privileged user can exploit case-insensitive username comparison during group-member lookup to gain unauthorized access to restricted operations.

User interaction is required to exploit this vulnerability.


6) Improper input validation (CVE-ID: CVE-2026-34978)

The vulnerability allows a remote attacker to overwrite arbitrary files within the CUPS CacheDir, including critical state files such as job.cache.

The vulnerability exists due to improper path validation in the RSS notifier component when processing attacker-controlled notify-recipient-uri values in IPP subscription requests. A remote attacker can send a specially crafted IPP request with a notify-recipient-uri containing directory traversal sequences (e.g., "rss:///../job.cache") to overwrite files outside the intended CacheDir/rss directory, leading to integrity and availability impacts.

The vulnerability specifically affects systems where the RSS notifier is enabled and untrusted clients can submit IPP Print-Job or Create-Printer-Subscription requests with subscription attributes. The default configuration with group-writable CacheDir (root:lp, 0770) enables overwriting of root-managed files via atomic rename operations performed by the lp-running notifier.


Remediation

Install update from vendor's website.

References