Hi all,
we had several security reports in CUPS which are fixed in the released
CUPS 2.4.17:
- no known CVE yet, requested from Github -
https://github.com/OpenPrinting/cups/security/advisories/GHSA-6wpw-g8g6-wvrv
- Heap out-of-bounds read in SNMP supply-level polling leaks stack
memory to authenticated users - moderate severity
- CVE-2026-39314 -
https://github.com/OpenPrinting/cups/security/advisories/GHSA-pp8w-2g52-7vj7
- Integer underflow in `_ppdCreateFromIPP` causes root cupsd crash via
negative `job-password-supported` - moderate severity
- CVE-2026-39316 -
https://github.com/OpenPrinting/cups/security/advisories/GHSA-pjv5-prqp-46rg
- Use-after-free in `cupsdDeleteTemporaryPrinters` via dangling
subscription pointer - moderate severity
- CVE-2026-34990 -
https://github.com/OpenPrinting/cups/security/advisories/GHSA-c54j-2vqw-wpwp
- Local print admin token disclosure using temporary printers - moderate
severity
- CVE-2026-34980 -
https://github.com/OpenPrinting/cups/security/advisories/GHSA-4852-v58g-6cwf
- Shared PostScript queue lets anonymous Print-Job requests reach `lp`
code execution over the network - moderate severity
- CVE-2026-34979 -
https://github.com/OpenPrinting/cups/security/advisories/GHSA-6qxf-7jx6-86fh
- Heap overflow in `get_options()` - moderate severity
- CVE-2026-34978 -
https://github.com/OpenPrinting/cups/security/advisories/GHSA-f53q-7mxp-9gcr
- Path traversal in RSS notify-recipient-uri enables file write outside
CacheDir/rss (and clobbering of job.cache) - moderate severity
- CVE-2026-27447 -
https://github.com/OpenPrinting/cups/security/advisories/GHSA-v987-m8hp-phj9
- Authorization bypass via case-insensitive group-member lookup -
moderate severity
We thank all the researchers for the reports!
Have a nice day,
Zdenek
P.S. I hope you don't mind such bulk email - it was a number of CVEs at
the same time, but all relevant information are at the links.
--
Zdenek Dohnal
Senior Software Engineer
Red Hat, BRQ-TPBC
