Advisories ยป MGASA-2026-0201

Updated cups packages fix security vulnerabilities

Publication date: 12 Jun 2026
Modification date: 12 Jun 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-27447 , CVE-2026-39314 , CVE-2026-39316 , CVE-2026-34978 , CVE-2026-34979 , CVE-2026-34980 , CVE-2026-34990

Description

CVE-2026-27447, Authorization bypass via case-insensitive group-member
lookup.
CVE-2026-39314, Integer underflow in `_ppdCreateFromIPP` causes root
cupsd crash via negative `job-password-supported`
CVE-2026-39316, Use-after-free in `cupsdDeleteTemporaryPrinters` via
dangling subscription pointer
CVE-2026-34978, Path traversal in RSS notify-recipient-uri enables file
write outside CacheDir/rss (and clobbering of job.cache)
CVE-2026-34979, Heap overflow in `get_options()`
CVE-2026-34980, Shared PostScript queue lets anonymous Print-Job
requests reach `lp`code execution over the network
CVE-2026-34990, Local print admin token disclosure using temporary
printers.
Heap out-of-bounds read in SNMP supply-level polling leaks stack memory
to authenticated users.
Out-of-bounds heap read in cupsdSetPrinterAttr marker-types parsing

References

SRPMS

9/core