CVE-2022-26691: 
NixOS vulnerability analysis and mitigation

CVE-2022-26691 is a logic issue in the CUPS (Common Unix Printing System) that affects the validation of the secret key used in the "local" authorization mode. The vulnerability was discovered by Joshua Mason of Mandiant and was fixed in Apple CUPS 2 version 499.4, Security Update 2022-003 Catalina, macOS Monterey 12.3, and macOS Big Sur 11.6.5. The issue affects multiple operating systems including macOS and various Linux distributions (Mandiant Disclosure).

The vulnerability exists in the alternative form of authentication ("Local" Authentication) which employs a buggy string compare function (ctcompare()). The function contained a logic error that allowed an attacker to authenticate as root using an empty string, bypassing the need for the 32-byte random secret. The issue has a CVSS v3.1 base score of 6.7 MEDIUM (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) (NVD).

The vulnerability allows a local unprivileged attacker to gain root level privileges. Once authenticated to CUPS as root, arbitrary code execution with root privileges becomes trivially easy to accomplish. This represents a significant security risk as it allows for complete system compromise by local attackers (Mandiant Disclosure).

The vulnerability has been patched in multiple versions across different platforms. For macOS, it was fixed in Security Update 2022-003 Catalina, macOS Monterey 12.3, and macOS Big Sur 11.6.5. For Linux distributions, Debian fixed it in version 2.2.10-6+deb10u6 for oldstable and 2.3.3op2-3+deb11u2 for stable. The OpenPrinting CUPS project addressed the issue in version 2.4.2 (Apple Support, Debian Security).