OpenPrinting CUPS (<= 2.4.16) contains a CWE-22 path traversal vulnerability in the RSS notifier component. The notify-recipient-uri parameter accepts path traversal sequences (e.g., rss:///../job.cache), enabling a remote IPP client to write RSS XML bytes outside the restricted CacheDir/rss directory to any location writable by the lp user. Since CacheDir is group-writable (root:lp, mode 0770), the notifier running as lp can overwrite root-managed state files via a temporary file and rename operation. This can corrupt the job cache file, causing the scheduler to fail to parse it and lose previously queued jobs. No public patches or vendor advisories with fixes are available as of the publication date.

The vulnerability allows remote unauthenticated attackers to overwrite critical print system files, specifically the job cache, leading to denial of service by causing the print scheduler to fail and lose queued print jobs. There is no indication of confidentiality or direct code execution impact. The CVSS score of 6.5 (medium severity) reflects the network attack vector, low attack complexity, no privileges required, and impact on integrity and availability.

At the time of publication, no official patches or fixes are available for this vulnerability. Users should monitor the OpenPrinting project for updates and advisories. Until a fix is released, consider restricting network access to the CUPS IPP service to trusted clients only and applying compensating controls to limit exposure. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.