2454947 – (CVE-2026-34990) CVE-2026-34990 cups: OpenPrinting CUPS: Privilege escalation via arbitrary file overwrite due to coerced authentication

Bug 2454947 (CVE-2026-34990) - CVE-2026-34990 cups: OpenPrinting CUPS: Privilege escalation via arbitrary file overwrite due to coerced authentication

Summary: CVE-2026-34990 cups: OpenPrinting CUPS: Privilege escalation via arbitrary fi...

Keywords:
Status:	NEW
Alias:	CVE-2026-34990
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2454993
Blocks:
TreeView+	depends on / blocked

Reported:	2026-04-03 22:01 UTC by OSIDB Bzimport
Modified:	2026-04-03 23:15 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-04-03 22:01:22 UTC

OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, a local unprivileged user can coerce cupsd into authenticating to an attacker-controlled localhost IPP service with a reusable Authorization: Local ... token. That token is enough to drive /admin/ requests on localhost, and the attacker can combine CUPS-Create-Local-Printer with printer-is-shared=true to persist a file:///... queue even though the normal FileDevice policy rejects such URIs. Printing to that queue gives an arbitrary root file overwrite; the PoC below uses that primitive to drop a sudoers fragment and demonstrate root command execution. At time of publication, there are no publicly available patches.

Note You need to log in before you can comment on or make changes to this bug.