{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34980", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-31T19:38:31.617Z", "datePublished": "2026-04-03T21:18:09.410Z", "dateUpdated": "2026-04-06T13:12:43.625Z"}, "containers": {"cna": {"title": "OpenPrinting CUPS: Shared PostScript queue lets anonymous Print-Job requests reach `lp` code execution over the network", "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "lang": "en", "description": "CWE-20: Improper Input Validation", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "ADJACENT", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/OpenPrinting/cups/security/advisories/GHSA-4852-v58g-6cwf", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/OpenPrinting/cups/security/advisories/GHSA-4852-v58g-6cwf"}], "affected": [{"vendor": "OpenPrinting", "product": "cups", "versions": [{"version": "<= 2.4.16", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-03T21:18:09.410Z"}, "descriptions": [{"lang": "en", "value": "OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, in a network-exposed cupsd with a shared target queue, an unauthorized client can send a Print-Job to that shared PostScript queue without authentication. The server accepts a page-border value supplied as textWithoutLanguage, preserves an embedded newline through option escaping and reparse, and then reparses the resulting second-line PPD: text as a trusted scheduler control record. A follow-up raw print job can therefore make the server execute an attacker-chosen existing binary such as /usr/bin/vim as lp. At time of publication, there are no publicly available patches."}], "source": {"advisory": "GHSA-4852-v58g-6cwf", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-06T13:12:31.098814Z", "id": "CVE-2026-34980", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T13:12:43.625Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34980", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-06T13:12:31.098814Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T13:12:39.119Z"}}], "cna": {"title": "OpenPrinting CUPS: Shared PostScript queue lets anonymous Print-Job requests reach `lp` code execution over the network", "source": {"advisory": "GHSA-4852-v58g-6cwf", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.1, "attackVector": "ADJACENT", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "OpenPrinting", "product": "cups", "versions": [{"status": "affected", "version": "<= 2.4.16"}]}], "references": [{"url": "https://github.com/OpenPrinting/cups/security/advisories/GHSA-4852-v58g-6cwf", "name": "https://github.com/OpenPrinting/cups/security/advisories/GHSA-4852-v58g-6cwf", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, in a network-exposed cupsd with a shared target queue, an unauthorized client can send a Print-Job to that shared PostScript queue without authentication. The server accepts a page-border value supplied as textWithoutLanguage, preserves an embedded newline through option escaping and reparse, and then reparses the resulting second-line PPD: text as a trusted scheduler control record. A follow-up raw print job can therefore make the server execute an attacker-chosen existing binary such as /usr/bin/vim as lp. At time of publication, there are no publicly available patches."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20: Improper Input Validation"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-03T21:18:09.410Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34980", "state": "PUBLISHED", "dateUpdated": "2026-04-06T13:12:43.625Z", "dateReserved": "2026-03-31T19:38:31.617Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-03T21:18:09.410Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openprinting:cups:*:*:*:*:*:*:*:*", "matchCriteriaId": "8A2A4507-B2D7-43B8-B008-6EC2F5053FA9", "versionEndIncluding": "2.4.16", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, in a network-exposed cupsd with a shared target queue, an unauthorized client can send a Print-Job to that shared PostScript queue without authentication. The server accepts a page-border value supplied as textWithoutLanguage, preserves an embedded newline through option escaping and reparse, and then reparses the resulting second-line PPD: text as a trusted scheduler control record. A follow-up raw print job can therefore make the server execute an attacker-chosen existing binary such as /usr/bin/vim as lp. At time of publication, there are no publicly available patches."}], "id": "CVE-2026-34980", "lastModified": "2026-04-16T18:28:13.903", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "ADJACENT", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-03T22:16:27.243", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/OpenPrinting/cups/security/advisories/GHSA-4852-v58g-6cwf"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "cups: OpenPrinting CUPS: Shared PostScript queue lets anonymous Print-Job requests reach `lp` code execution over the network", "id": "2454954", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2454954"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.4", "cvss3_scoring_vector": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L", "status": "draft"}, "cwe": "CWE-78", "details": ["A flaw was found in OpenPrinting CUPS. An unauthorized client can exploit this vulnerability by sending a specially crafted print job to a shared PostScript queue without authentication. The server improperly handles the `page-border` value, allowing an attacker to embed and reparse malicious text as a trusted scheduler control record. This can lead to arbitrary code execution with the privileges of the 'lp' user, potentially compromising the affected system."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-34980", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "cups", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "cups", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "cups", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "cups", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "cups", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "rhcos", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2026-04-03T21:18:09Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-34980\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-34980\nhttps://github.com/OpenPrinting/cups/security/advisories/GHSA-4852-v58g-6cwf"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.4.16]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "cups", "source": "cna", "vendor": "OpenPrinting"}, "product": "cups", "vendor": "openprinting"}], "analysis": {"en": {"generated_at": "2026-04-04T04:20:47.203280+00:00", "value": {"mitigation_remediation": ["Apply a vendor patch for CUPS once it is released", "Disable the shared attribute on target queues or remove the shared queue entirely", "Restrict network access to the cupsd daemon with firewall rules to allow only trusted hosts", "Continuously monitor vendor advisories and apply updates promptly when available"], "summary": {"action": "Assess Impact", "impact": "Remote Code Execution via lp"}, "threat_synthesis": {"affected_systems": "The vulnerability impacts the OpenPrinting CUPS printing system on any Linux or Unix\u2011like operating system where cupsd is exposed over the network and a target queue is marked as shared. It applies to installations running CUPS 2.4.16 or earlier regardless of the specific distribution or configuration.", "description_and_impact": "CUPS versions 2.4.16 and earlier allow an attacker who can access a network\u2011exposed cupsd with a shared PostScript queue to send a Print\u2011Job without authentication. The server accepts a page\u2011border value, preserves an embedded newline, re\u2011escapes and re\u2011parses the resulting text, and then interprets the second\u2011line PPD as a trusted scheduler control record (CWE\u201120). A follow\u2011up raw print job can cause the scheduler to execute an attacker\u2011chosen binary, such as /usr/bin/vim, under the privileges of the lp user (CWE\u201178). This yields remote code execution without requiring any privileged authentication.", "risk_and_exploitability": "The CVSS score of 6.1 indicates moderate severity. EPSS data is not available and the issue is not listed in the CISA KEV catalog, but the lack of authentication combined with network exposure makes exploitation straightforward for any adversary with network access to the cupsd daemon. The attack requires only a crafted Print\u2011Job sent to the shared queue; additional constraints such as firewall restriction or disabling shared queues reduce the attack surface. Until a patch is released, exposed hosts remain at significant risk of remote code execution."}}}}, "created": "2026-04-06T21:22:29.668382+00:00", "updated": "2026-04-06T22:22:07.836896+00:00", "vendors": ["openprinting", "openprinting$PRODUCT$cups"]}