An alarming vulnerability chain within the Common Unix Printing System (CUPS) has been identified, allowing remote attackers to execute malicious code with root-level access. This issue poses a significant threat to systems running CUPS versions 2.4.16 and earlier.
Discovery of Critical Flaws
Security researcher Asim Viladi Oglu Manizada and his team uncovered two zero-day vulnerabilities, designated as CVE-2026-34980 and CVE-2026-34990. These flaws, affecting older versions of CUPS, enable a sophisticated assault that transforms a network breach into full system control.
The attack exploits outdated print queues and manipulates localhost authentication, thereby elevating an initial unauthorized access into a comprehensive takeover.
Exploiting Legacy Print Queues
The initial phase of the attack targets CVE-2026-34980. By exploiting CUPS’s default settings, which accept anonymous print jobs over a network-exposed shared PostScript queue, attackers can bypass authentication.
This vulnerability arises from a parsing error where embedded newline characters in job attributes bypass the system’s escaping process. This allows attackers to inject malicious commands into trusted control records.
Subsequently, attackers can execute remote code by inserting a harmful filter entry into the PostScript Printer Description file, gaining control as the unprivileged ‘lp’ service user.
Privilege Escalation and Mitigation
After gaining initial access, the attacker can exploit CVE-2026-34990 to escalate privileges from the ‘lp’ user to root access. The default CUPS policy permits low-privilege users to direct the service to create temporary local printers on the localhost without administrative consent.
By setting up a rogue printer listener, attackers can intercept the setup and manipulate the CUPS daemon into using a local authorization token to bypass device URI restrictions. This results in an unauthorized overwrite of sensitive system files.
As of April 2026, no patches have been released to address these vulnerabilities. However, administrators can mitigate risks by disabling shared legacy queues, limiting network exposure, and enforcing strict authentication for print jobs.
Implementing stringent access controls through systems like AppArmor or SELinux can further restrict compromised processes from affecting critical files.
Stay updated with the latest cybersecurity developments by following us on Google News, LinkedIn, and X, or contact us to share your stories.
