Description
OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, there is a heap-based buffer overflow in the CUPS scheduler when building filter option strings from job attribute. At time of publication, there are no publicly available patches.
Published: 2026-04-03
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Possible Remote Code Execution
Action: Plan Update
AI Analysis

Impact

A heap‑based buffer overflow occurs in the CUPS scheduler while building filter option strings from job attributes. The overflow exposes a vulnerability that could lead to arbitrary memory corruption, potentially allowing an attacker to execute code or cause a denial of service. The weakness falls under CWE‑120 and CWE‑122.

Affected Systems

OpenPrinting CUPS version 2.4.16 and earlier on Linux and other Unix‑like operating systems are affected. This includes all distributions that ship the default CUPS scheduler component.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, and the EPSS score is not publicly available, leaving the likelihood of exploitation uncertain. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is remote via the printing service, though local privilege escalation cannot be ruled out.

Generated by OpenCVE AI on April 4, 2026 at 04:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Restrict external print job submissions and limit access to the CUPS service to trusted users
  • Configure firewalls or network segmentation to block unauthenticated access to the printer service
  • Monitor vendor security advisories for a patch; once a newer CUPS version is released, upgrade promptly

Generated by OpenCVE AI on April 4, 2026 at 04:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:openprinting:cups:*:*:*:*:*:*:*:*

Tue, 07 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Openprinting
Openprinting cups
Vendors & Products Openprinting
Openprinting cups

Sat, 04 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-120
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 03 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Description OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, there is a heap-based buffer overflow in the CUPS scheduler when building filter option strings from job attribute. At time of publication, there are no publicly available patches.
Title OpenPrinting CUPS: Heap overflow in `get_options()`
Weaknesses CWE-122
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Openprinting Cups
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-07T14:19:07.586Z

Reserved: 2026-03-31T19:38:31.617Z

Link: CVE-2026-34979

cve-icon Vulnrichment

Updated: 2026-04-07T14:18:57.894Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-03T22:16:27.097

Modified: 2026-04-16T18:28:57.420

Link: CVE-2026-34979

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-03T21:16:38Z

Links: CVE-2026-34979 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-06T22:22:08Z

Weaknesses