VDB

DEBIAN-CVE-2026-34980

DEBIAN-CVE-2026-34980 PUBLISHED CVSS 7.5 HIGH

OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, in a network-exposed cupsd with a shared target queue, an unauthorized client can send a Print-Job to that shared PostScript queue without authentication. The server accepts a page-border value supplied as textWithoutLanguage, preserves an embedded newline through option escaping and reparse, and then reparses the resulting second-line PPD: text as a trusted scheduler control record. A follow-up raw print job can therefore make the server execute an attacker-chosen existing binary such as /usr/bin/vim as lp. At time of publication, there are no publicly available patches.

Risk Scores

CVSS 3.1
7.5
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersions
Debian:14cups2.4.14-1, 2.4.15-1, 2.4.16-1
Debian:13cups2.4.15-1, 2.4.16-1, 2.4.17-1
Debian:12cups2.4.17-1, 2.4.18-1, 2.4.2-3
Debian:11cups2.4.2-6, 0, 2.3.3op2-3+deb11u1

Exploit Intelligence

Timeline

  • Apr 3, 2026 CVE Published
  • May 15, 2026 CVE Updated
Open in Interactive Console →
$ Console Community · 100/wk Open console ›