A team of AI-driven vulnerability hunting agents directed by security researcher Asim Viladi Oglu Manizada has discovered two critical security flaws in CUPS, the standard printing system for Linux and Unix-like operating systems.
When chained together, these vulnerabilities allow an unauthenticated remote attacker to gain unprivileged remote code execution and eventually escalate their access to achieve a root-level file overwrite.
Because the CUPS print scheduler runs with high system privileges, this software presents a rich attack surface for threat actors looking to compromise servers.
CVE-2026-34980: Remote Code Execution via PostScript Queues
The first vulnerability is tracked as CVE-2026-34980 and allows an attacker to execute malicious code over the network.
This issue impacts systems configured to expose a shared PostScript print queue without requiring user authentication.
By default, the CUPS system accepts anonymous print job requests on shared queues. The core of this vulnerability stems from a parsing error in how the software handles print job attributes.
When an attacker smuggles a newline character into a print option, the CUPS software fails to properly strip that character out during processing.
This failure allows the attacker’s embedded text to survive the system’s security checks. As a result, the attacker can inject a trusted configuration command into the queue’s settings.
By modifying the queue configuration, the attacker forces the system to launch an arbitrarily chosen program as a print filter. This grants remote code execution on the compromised machine under the default print service user account.
CVE-2026-34990: Local Privilege Escalation to Root
The second vulnerability, identified as CVE-2026-34990, allows any low-privileged local user to perform a system takeover by overwriting critical files as the root user.
Unlike the first flaw, this local privilege escalation works against the default configuration of the CUPS printing system. The attack begins when a compromised local user sets up a fake, temporary local printer listening on a specific network port.
When the CUPS system attempts to validate this newly created printer, the attacker intercepts the process and forces the system to hand over its highly privileged local administrator token.
Armed with this stolen token, the attacker quickly creates a second temporary queue pointing to a sensitive local file path, as reported by heyitsas.
By winning a brief race condition before the system cleans up the temporary queue, the attacker can share the printer and print directly into restricted system files. This effectively overwrites files with malicious content to grant full root access.
As of early April 2026, public code commits exist to fix these vulnerabilities, but a formal patched release is not yet available.
System administrators are strongly advised to disable network exposure for CUPS. If a shared print queue must be used, administrators should enforce strict authentication requirements.
Furthermore, ensuring that the CUPS service operates under a robust security module like AppArmor or SELinux will restrict the files the service can access. This containment strategy significantly reduces the impact by blocking unauthorized file overwrites.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
