CVE-2026-34978

Name of the Vulnerable Software and Affected Versions OpenPrinting CUPS versions 2.4.16 and earlier

Description The RSS notifier allows path traversal in the 'notify-recipient-uri' parameter (for example, 'rss:///../job.cache'). This enables a remote IPP client to write RSS XML bytes outside the CacheDir/rss directory to any location that is lp-writable. Since CacheDir is typically group-writable by default, the notifier can replace root-managed state files using a temporary file and the rename() function. This can lead to the corruption of the job cache, causing the scheduler to fail and previously queued jobs to disappear after a restart of cupsd.

Recommendations Update the rootio-cups package to a fixed version.