Skip to main content

Red Hat CVE-2026-34978

| EUVDEUVD-2026-18884 MEDIUM
Path Traversal (CWE-22)
2026-04-03 GitHub_M
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
SUSE
MEDIUM
qualitative
Red Hat
6.5 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

3
EUVD ID Assigned
Apr 03, 2026 - 21:30 euvd
EUVD-2026-18884
Analysis Generated
Apr 03, 2026 - 21:30 vuln.today
CVE Published
Apr 03, 2026 - 21:15 nvd
MEDIUM 6.5

DescriptionGitHub Advisory

OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, the RSS notifier allows .. path traversal in notify-recipient-uri (e.g., rss:///../job.cache), letting a remote IPP client write RSS XML bytes outside CacheDir/rss (anywhere that is lp-writable). In particular, because CacheDir is group-writable by default (typically root:lp and mode 0770), the notifier (running as lp) can replace root-managed state files via temp-file + rename(). This PoC clobbers CacheDir/job.cache with RSS XML, and after restarting cupsd the scheduler fails to parse the job cache and previously queued jobs disappear. At time of publication, there are no publicly available patches.

AnalysisAI

Path traversal in OpenPrinting CUPS RSS notifier (versions 2.4.16 and prior) allows unauthenticated remote IPP clients to write arbitrary files outside the intended CacheDir/rss directory via a crafted notify-recipient-uri parameter. By exploiting default group-writable permissions on CacheDir, attackers can overwrite critical state files such as job.cache, causing the CUPS scheduler to fail parsing job queues and resulting in loss of previously queued print jobs. No public exploit code or vendor patch is currently available, though the vulnerability is demonstrated with proof-of-concept exploitation.

Technical ContextAI

OpenPrinting CUPS is a standards-compliant printing system built on the Internet Printing Protocol (IPP). The vulnerability resides in the RSS notifier component, which processes the notify-recipient-uri parameter submitted by remote IPP clients. The root cause (CWE-22: Improper Limitation of a Pathname to a Restricted Directory) stems from insufficient path validation in the notifier's handling of this parameter. The notifier runs under the 'lp' user account with file permissions inherited from CUPS' CacheDir (typically root:lp with mode 0770, group-writable). By injecting '../' sequences into the notify-recipient-uri (e.g., 'rss:///../job.cache'), an attacker can escape the intended rss subdirectory and write files to the parent CacheDir or other lp-accessible locations. The attacker can leverage atomic file operations (temp-file creation followed by rename) to overwrite existing files such as job.cache, which the CUPS scheduler (cupsd) parses on startup. Corruption of job.cache causes the scheduler to fail parsing and lose all queued jobs.

RemediationAI

At time of analysis, no vendor-released patch has been identified. Organizations should monitor https://github.com/OpenPrinting/cups/security/advisories/GHSA-f53q-7mxp-9gcr for patch availability and subsequent release of a patched CUPS version. Interim mitigation strategies include: (1) restrict network access to CUPS listening ports (typically 631/tcp) via firewall rules or network segmentation, limiting exposure to untrusted IPP clients; (2) disable the RSS notifier if not in use by removing or commenting out the notify-recipient-uri handling in CUPS configuration; (3) audit and tighten CacheDir permissions to restrict write access only to the 'lp' user (mode 0700 instead of 0770) if feasible, though this may break legitimate print workflows. Apply patches as soon as they become available from the OpenPrinting project.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Micro 5.2 Fixed
SUSE Linux Enterprise Micro 5.3 Fixed
SUSE Linux Enterprise Micro 5.4 Fixed

Share

CVE-2026-34978 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy