{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34979", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-31T19:38:31.617Z", "datePublished": "2026-04-03T21:16:38.594Z", "dateUpdated": "2026-04-07T14:19:07.586Z"}, "containers": {"cna": {"title": "OpenPrinting CUPS: Heap overflow in `get_options()`", "problemTypes": [{"descriptions": [{"cweId": "CWE-122", "lang": "en", "description": "CWE-122: Heap-based Buffer Overflow", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/OpenPrinting/cups/security/advisories/GHSA-6qxf-7jx6-86fh", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/OpenPrinting/cups/security/advisories/GHSA-6qxf-7jx6-86fh"}], "affected": [{"vendor": "OpenPrinting", "product": "cups", "versions": [{"version": "<= 2.4.16", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-03T21:16:38.594Z"}, "descriptions": [{"lang": "en", "value": "OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, there is a heap-based buffer overflow in the CUPS scheduler when building filter option strings from job attribute. At time of publication, there are no publicly available patches."}], "source": {"advisory": "GHSA-6qxf-7jx6-86fh", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/OpenPrinting/cups/security/advisories/GHSA-6qxf-7jx6-86fh", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-07T14:19:03.599906Z", "id": "CVE-2026-34979", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T14:19:07.586Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34979", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-07T14:19:03.599906Z"}}}], "references": [{"url": "https://github.com/OpenPrinting/cups/security/advisories/GHSA-6qxf-7jx6-86fh", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T14:18:57.894Z"}}], "cna": {"title": "OpenPrinting CUPS: Heap overflow in `get_options()`", "source": {"advisory": "GHSA-6qxf-7jx6-86fh", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "OpenPrinting", "product": "cups", "versions": [{"status": "affected", "version": "<= 2.4.16"}]}], "references": [{"url": "https://github.com/OpenPrinting/cups/security/advisories/GHSA-6qxf-7jx6-86fh", "name": "https://github.com/OpenPrinting/cups/security/advisories/GHSA-6qxf-7jx6-86fh", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, there is a heap-based buffer overflow in the CUPS scheduler when building filter option strings from job attribute. At time of publication, there are no publicly available patches."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-122", "description": "CWE-122: Heap-based Buffer Overflow"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-03T21:16:38.594Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34979", "state": "PUBLISHED", "dateUpdated": "2026-04-07T14:19:07.586Z", "dateReserved": "2026-03-31T19:38:31.617Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-03T21:16:38.594Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openprinting:cups:*:*:*:*:*:*:*:*", "matchCriteriaId": "8A2A4507-B2D7-43B8-B008-6EC2F5053FA9", "versionEndIncluding": "2.4.16", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, there is a heap-based buffer overflow in the CUPS scheduler when building filter option strings from job attribute. At time of publication, there are no publicly available patches."}], "id": "CVE-2026-34979", "lastModified": "2026-04-16T18:28:57.420", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-03T22:16:27.097", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory", "Exploit"], "url": "https://github.com/OpenPrinting/cups/security/advisories/GHSA-6qxf-7jx6-86fh"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Vendor Advisory", "Exploit"], "url": "https://github.com/OpenPrinting/cups/security/advisories/GHSA-6qxf-7jx6-86fh"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-122"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"bugzilla": {"description": "cups: OpenPrinting CUPS: Denial of Service via heap-based buffer overflow in job attribute processing", "id": "2454946", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2454946"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "draft"}, "cwe": "CWE-120", "details": ["A flaw was found in OpenPrinting CUPS. A remote attacker could exploit a heap-based buffer overflow by sending specially crafted job attributes when building filter option strings. This could lead to a denial of service, making the printing system unavailable."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-34979", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "cups", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "cups", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "cups", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "cups", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "cups", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "rhcos", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2026-04-03T21:16:38Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-34979\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-34979\nhttps://github.com/OpenPrinting/cups/security/advisories/GHSA-6qxf-7jx6-86fh"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.4.16]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "cups", "source": "cna", "vendor": "OpenPrinting"}, "product": "cups", "vendor": "openprinting"}], "analysis": {"en": {"generated_at": "2026-04-04T04:21:08.683798+00:00", "value": {"mitigation_remediation": ["Restrict external print job submissions and limit access to the CUPS service to trusted users", "Configure firewalls or network segmentation to block unauthenticated access to the printer service", "Monitor vendor security advisories for a patch; once a newer CUPS version is released, upgrade promptly"], "summary": {"action": "Plan Update", "impact": "Possible Remote Code Execution"}, "threat_synthesis": {"affected_systems": "OpenPrinting CUPS version 2.4.16 and earlier on Linux and other Unix\u2011like operating systems are affected. This includes all distributions that ship the default CUPS scheduler component.", "description_and_impact": "A heap\u2011based buffer overflow occurs in the CUPS scheduler while building filter option strings from job attributes. The overflow exposes a vulnerability that could lead to arbitrary memory corruption, potentially allowing an attacker to execute code or cause a denial of service. The weakness falls under CWE\u2011120 and CWE\u2011122.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity, and the EPSS score is not publicly available, leaving the likelihood of exploitation uncertain. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is remote via the printing service, though local privilege escalation cannot be ruled out."}}}}, "created": "2026-04-06T21:22:30.752483+00:00", "updated": "2026-04-06T22:22:08.857660+00:00", "vendors": ["openprinting", "openprinting$PRODUCT$cups"]}