ALAS2023-2026-1668

Amazon Linux 2023 Security Advisory: ALAS2023-2026-1668
Advisory Released Date: 2026-05-14
Advisory Updated Date: 2026-05-14

Severity: Medium

References: CVE-2026-27447 CVE-2026-41079
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, CUPS daemon (cupsd) contains an authorization bypass vulnerability due to case-insensitive username comparison during authorization checks. The vulnerability allows an unprivileged user to gain unauthorized access to restricted operations by using a user with a username that differs only in case from an authorized user. At time of publication, there are no publicly available patches. (CVE-2026-27447)

OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. Prior to 2.4.17, a network-adjacent attacker can send a crafted SNMP response to the CUPS SNMP backend that causes an out-of-bounds read of up to 176 bytes past a stack buffer. The leaked memory is converted from UTF-16 to UTF-8 and stored as printer supply description strings, which are subsequently visible to authenticated users via IPP Get-Printer-Attributes responses and the CUPS web interface. This vulnerability is fixed in 2.4.17. (CVE-2026-41079)

Affected Packages:

cups

Issue Correction:
Run dnf update cups --releasever 2023.11.20260511 or dnf update --advisory ALAS2023-2026-1668 --releasever 2023.11.20260511 to update your system.
More information on how to update your system can be found on this page: Amazon Linux 2023 documentation

New Packages:

aarch64:
    cups-printerapp-debuginfo-2.4.19-1.amzn2023.0.1.aarch64
    cups-debugsource-2.4.19-1.amzn2023.0.1.aarch64
    cups-libs-2.4.19-1.amzn2023.0.1.aarch64
    cups-ipptool-debuginfo-2.4.19-1.amzn2023.0.1.aarch64
    cups-libs-debuginfo-2.4.19-1.amzn2023.0.1.aarch64
    cups-client-debuginfo-2.4.19-1.amzn2023.0.1.aarch64
    cups-devel-2.4.19-1.amzn2023.0.1.aarch64
    cups-printerapp-2.4.19-1.amzn2023.0.1.aarch64
    cups-lpd-debuginfo-2.4.19-1.amzn2023.0.1.aarch64
    cups-ipptool-2.4.19-1.amzn2023.0.1.aarch64
    cups-lpd-2.4.19-1.amzn2023.0.1.aarch64
    cups-debuginfo-2.4.19-1.amzn2023.0.1.aarch64
    cups-client-2.4.19-1.amzn2023.0.1.aarch64
    cups-2.4.19-1.amzn2023.0.1.aarch64

noarch:
    cups-filesystem-2.4.19-1.amzn2023.0.1.noarch

src:
    cups-2.4.19-1.amzn2023.0.1.src

x86_64:
    cups-printerapp-debuginfo-2.4.19-1.amzn2023.0.1.x86_64
    cups-debugsource-2.4.19-1.amzn2023.0.1.x86_64
    cups-client-2.4.19-1.amzn2023.0.1.x86_64
    cups-lpd-debuginfo-2.4.19-1.amzn2023.0.1.x86_64
    cups-ipptool-debuginfo-2.4.19-1.amzn2023.0.1.x86_64
    cups-2.4.19-1.amzn2023.0.1.x86_64
    cups-client-debuginfo-2.4.19-1.amzn2023.0.1.x86_64
    cups-devel-2.4.19-1.amzn2023.0.1.x86_64
    cups-libs-debuginfo-2.4.19-1.amzn2023.0.1.x86_64
    cups-lpd-2.4.19-1.amzn2023.0.1.x86_64
    cups-ipptool-2.4.19-1.amzn2023.0.1.x86_64
    cups-libs-2.4.19-1.amzn2023.0.1.x86_64
    cups-printerapp-2.4.19-1.amzn2023.0.1.x86_64
    cups-debuginfo-2.4.19-1.amzn2023.0.1.x86_64

Additional References

Release Notes: Amazon Linux 2023 Release Notes

Red Hat: CVE-2026-27447, CVE-2026-41079

Mitre: CVE-2026-27447, CVE-2026-41079