Critical CUPS Vulnerability Chain Lets Attackers Execute Code as Root
Key Takeaways A critical vulnerability chain in CUPS allows unauthenticated attackers to achieve root-level code execution. The two zero-day flaws, CVE-2026-34980 and CVE-2026-34990, affect CUPS...
Key Takeaways
- A critical vulnerability chain in CUPS allows unauthenticated attackers to achieve root-level code execution.
- The two zero-day flaws, CVE-2026-34980 and CVE-2026-34990, affect CUPS versions 2.4.16 and older.
- The attack involves exploiting legacy print queues and manipulating localhost authentication mechanisms for a full system takeover.
- No official patches are currently available, but mitigation strategies focus on configuration changes and robust access controls.
A severe vulnerability chain within the Common Unix Printing System (CUPS) has been uncovered, enabling unauthenticated remote attackers to execute arbitrary code with root privileges. This critical flaw poses a significant risk, potentially leading to full system compromise.
Table Of Content
Security researcher Asim Viladi Oglu Manizada, along with his team, identified these two zero-day vulnerabilities, designated as CVE-2026-34980 and CVE-2026-34990. The flaws impact CUPS versions 2.4.16 and all earlier releases.
The sophisticated attack leverages a sequence of exploits, transforming an initial network intrusion into a complete system takeover. This is achieved by targeting legacy print queues and subsequently manipulating localhost authentication protocols.
Bypassing Authentication with Legacy Queues
The initial phase of the attack capitalizes on CVE-2026-34980. This vulnerability exploits the default CUPS server policy, which permits anonymous print jobs when a shared PostScript queue is accessible over a network. By submitting a specially crafted print request to such a queue, a remote attacker can bypass the system’s authentication layer and tamper with the internal queue configuration.
The core of this vulnerability lies in a parsing error where embedded newline characters within job attributes are not properly escaped by the system. This oversight allows attackers to inject malicious commands into trusted scheduler control records. By inserting a malicious filter entry into the PostScript Printer Description (PPD) file, the attacker gains remote code execution capabilities, initially as the unprivileged “lp” service user.
Privilege Escalation to Root
Once initial access is established, the threat actor then exploits the second vulnerability, CVE-2026-34990, to escalate privileges from the compromised “lp” user to full root access. CUPS’s default policy permits any low-privilege account to instruct the service to create a temporary local printer on the localhost interface without requiring administrative approval.
Through the setup of a malicious “fake printer listener,” the attacker can intercept the printer setup process. This allows them to coerce the CUPS daemon into authenticating with a reusable local authorization token. With this stolen administrative token, the attacker then exploits a race condition to bypass standard device URI restrictions. This manipulation converts the temporary printer into a persistent queue that directly points to a sensitive system file path, ultimately resulting in an arbitrary root file overwrite.
As of early April 2026, official software patches to address these vulnerabilities are not yet available. However, it is important to note that the initial remote code execution flaw specifically requires the deliberate configuration choice of exposing a shared PostScript queue over the network.
What You Should Do
- Disable Shared Legacy Queues: Administrators should immediately disable any shared legacy PostScript queues that are exposed over the network.
- Limit Network Exposure: Restrict the network exposure of the CUPS daemon to only essential interfaces and trusted networks.
- Enforce Strict Authentication: Implement and enforce strict authentication for all print job submissions to the CUPS server. As highlighted by heyitsas, this is a crucial mitigation step.
- Utilize Mandatory Access Controls: Operate the CUPS service under robust mandatory access control systems such as AppArmor or SELinux. These systems can significantly limit the “blast radius” by preventing compromised processes from modifying critical system files outside their designated secure environments.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.