Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
Improper handling of symbolic links in the installer of CUPS Printer Driver for macOS(*) may allow a local attacker with login privileges to exploit a specially crafted symbolic link during installation to modify permissions of directories for which they would not normally have authorization.
*:Canon PIXUS iX6800 Series CUPS Printer Driver for macOS Version 16.91.0.0 or earlier (Japan)
Canon PIXMA MG2500 Series and iX6800 Series CUPS Printer Driver for macOS Version 16.91.0.0 or earlier (US and Europe)
AnalysisAI
Symlink-following vulnerability in the Canon PIXMA/PIXUS CUPS Printer Driver installer for macOS allows a local authenticated attacker to manipulate directory permissions beyond their authorization. By placing a specially crafted symbolic link in a path the installer traverses, the attacker can redirect installer-time permission changes to arbitrary directories during a privileged installation run. Affected versions are 16.91.0.0 and earlier across Japan (iX6800 Series), the US, and Europe (MG2500 and iX6800 Series); no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
Technical ContextAI
The vulnerability is rooted in CWE-59 (Improper Link Resolution Before File Access, commonly called 'Link Following'), a well-understood class of installer-privilege-escalation flaw. During installation, the Canon CUPS Printer Driver runs with elevated macOS privileges to set ownership or permissions on target directories. If a low-privileged local user pre-places a symlink at a path the installer is expected to operate on, the installer resolves the link without validating its destination and applies permission changes to the symlink target rather than the intended directory. On macOS, this pattern is particularly relevant because macOS installers commonly run as root via Authorization Services, and the OS does not automatically strip symlink traversal from privilege-elevated file operations unless the developer explicitly uses secure coding patterns such as O_NOFOLLOW. CPE data is not explicitly provided in the advisory, but the affected components are Canon-branded CUPS drivers (Common Unix Printing System) distributed as macOS .pkg installers for the PIXUS iX6800 and PIXMA MG2500 product lines.
RemediationAI
Upgrade the Canon PIXMA MG2500 Series and PIXUS iX6800 Series CUPS Printer Driver beyond version 16.91.0.0 using the updated installer packages referenced in Canon's regional advisories: Japan (https://canon.jp/support/support-info/260528-1vulnerability-response), US (https://www.usa.canon.com/support/canon-product-advisories/CPA2026-004-Vulnerability-Remediation-for-My-Image-Garden-for-macOS-and-CUPS-Printer-Driver-for-macOS), and Europe (https://www.canon-europe.com/support/product-security/). Note that an exact fixed version number was not stated in the provided advisory data - confirm the specific patched version with Canon before deployment. Patch available per vendor advisory. As a compensating control where immediate patching is not possible, restrict the installer execution to controlled administrative accounts and ensure untrusted users cannot write to directories the installer accesses prior to installation - this directly eliminates the attacker's ability to pre-place the symlink. On managed macOS fleets, deploying the driver via MDM (e.g., Jamf) rather than user-initiated installation reduces the window of attacker-controlled pre-seeding. Removing the CUPS printer driver entirely on machines where the affected printer hardware is not in use eliminates the attack surface with no functional trade-off.
Same weakness CWE-59 – Improper Link Resolution Before File Access
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33231
GHSA-xjvf-w7h7-789h