A critical vulnerability chain in the Common Unix Printing System (CUPS) that allows unauthenticated remote attackers to execute arbitrary malicious code with root system privileges.
Security researcher Asim Viladi Oglu Manizada and his team discovered two zero-day flaws, officially tracked as CVE-2026-34980 and CVE-2026-34990, that affect CUPS versions 2.4.16 and older.
The sophisticated attack chain escalates a network intrusion into a complete system takeover by exploiting legacy print queues and manipulating localhost authentication mechanisms.
Bypassing Authentication with Legacy Queues
The first stage of the attack exploits CVE-2026-34980, targeting the default policy of the CUPS server, which accepts anonymous print jobs when a shared PostScript queue is exposed over a network.
By sending a maliciously crafted print request to this queue, a remote attacker can bypass the authentication layer and manipulate the internal queue configuration.
The vulnerability stems from a parsing bug where embedded newline characters in job attributes survive the system’s escaping process, allowing attackers to smuggle malicious commands into trusted scheduler control records.
Injecting a malicious filter entry into the PostScript Printer Description file grants the attacker remote code execution capabilities as the unprivileged “lp” service user.
Once initial access is achieved, the threat actor leverages the second vulnerability, CVE-2026-34990, to escalate privileges from the compromised “lp” user to full root access.
The default policy allows any low-privilege account to command the CUPS service to create a temporary local printer on the localhost interface without administrative approval.
By setting up a malicious fake printer listener, the attacker intercepts the setup process and coerces the CUPS daemon into authenticating with a reusable local authorization token.
Using this stolen admin token, the attacker exploits a race condition to bypass normal device URI restrictions, converting the temporary printer into a persistent queue pointing directly to a sensitive system file path, resulting in an arbitrary root file overwrite.
As of early April 2026, there are no official software patches available to resolve these vulnerabilities.
However, the initial remote code execution flaw requires the deliberate configuration choice of exposing a shared PostScript queue over the network.
To mitigate this threat, administrators should disable shared legacy queues, limit network exposure of the CUPS daemon, or enforce strict authentication for all print job submissions, as highlighted by heyitsas.
Operating the CUPS service under robust mandatory access control systems like AppArmor or SELinux can also limit the blast radius by preventing compromised processes from modifying critical files outside their safe environments.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
