ALPINE-CVE-2026-34980
- Source
- https://security.alpinelinux.org/vuln/CVE-2026-34980
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/alpine/ALPINE-CVE-2026-34980.json
- JSON Data
- https://api.osv.dev/v1/vulns/ALPINE-CVE-2026-34980
- Upstream
- Published
- 2026-04-03T22:16:27.243Z
- Modified
- 2026-06-09T21:31:39.795877244Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, in a network-exposed cupsd with a shared target queue, an unauthorized client can send a Print-Job to that shared PostScript queue without authentication. The server accepts a page-border value supplied as textWithoutLanguage, preserves an embedded newline through option escaping and reparse, and then reparses the resulting second-line PPD: text as a trusted scheduler control record. A follow-up raw print job can therefore make the server execute an attacker-chosen existing binary such as /usr/bin/vim as lp. At time of publication, there are no publicly available patches.
- References
Affected packages
Alpine:v3.20 / cups
Package
- Name
- cups
- Purl
- pkg:apk/alpine/cups?arch=source
Alpine:v3.21 / cups
Package
- Name
- cups
- Purl
- pkg:apk/alpine/cups?arch=source
Alpine:v3.22 / cups
Package
- Name
- cups
- Purl
- pkg:apk/alpine/cups?arch=source
Alpine:v3.23 / cups
Package
- Name
- cups
- Purl
- pkg:apk/alpine/cups?arch=source