CUPS Vulnerability Chain Enables Remote Attacker to Execute Malicious Code as Root User - CyberSecurityNews

HomeCyber Security News CUPS Vulnerability Chain Enables Remote Attacker to Execute Malicious Code as Root User By Abinaya April 8, 2026 A critical vulnerability chain in the Common Unix Printing System (CUPS) that allows unauthenticated remote attackers to execute arbitrary malicious code with root system privileges. Security researcher Asim Viladi Oglu Manizada and his team discovered two zero-day flaws, officially tracked as CVE-2026-34980 and CVE-2026-34990, that affect CUPS versions 2.4.16 and older. The sophisticated attack chain escalates a network intrusion into a complete system takeover by exploiting legacy print queues and manipulating localhost authentication mechanisms. Bypassing Authentication with Legacy Queues The first stage of the attack exploits CVE-2026-34980, targeting the default policy of the CUPS server, which accepts anonymous print jobs when a shared PostScript queue is exposed over a network. By sending a maliciously crafted print request to this queue, a remote attacker can bypass the authentication layer and manipulate the internal queue configuration. The vulnerability stems from a parsing bug where embedded newline characters in job attributes survive the system’s escaping process, allowing attackers to smuggle malicious commands into trusted scheduler control records. Injecting a malicious filter entry into the PostScript Printer Description file grants the attacker remote code execution capabilities as the unprivileged “lp” service user. Once initial access is achieved, the threat actor leverages the second vulnerability, CVE-2026-34990, to escalate privileges from the compromised “lp” user to full root access. The default policy allows any low-privilege account to command the CUPS service to create a temporary local printer on the localhost interface without administrative approval. By setting up a malicious fake printer listener, the attacker intercepts the setup process and coerces the CUPS daemon into authenticating with a reusable local authorization token. Using this stolen admin token, the attacker exploits a race condition to bypass normal device URI restrictions, converting the temporary printer into a persistent queue pointing directly to a sensitive system file path, resulting in an arbitrary root file overwrite. As of early April 2026, there are no official software patches available to resolve these vulnerabilities. However, the initial remote code execution flaw requires the deliberate configuration choice of exposing a shared PostScript queue over the network. To mitigate this threat, administrators should disable shared legacy queues, limit network exposure of the CUPS daemon, or enforce strict authentication for all print job submissions, as highlighted by heyitsas. Operating the CUPS service under robust mandatory access control systems like AppArmor or SELinux can also limit the blast radius by preventing compromised processes from modifying critical files outside their safe environments. Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Abinayahttps://cybersecuritynews.com/ Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space. Trending News Critical Microsoft Exchange Server Vulnerability Actively Exploited in Attacks Palo Alto PAN-OS 0-Day Exploited to Execute Arbitrary Code With Root Privileges on Firewalls The Gentlemen Ransomware Attacks Windows, Linux, NAS, BSD, and ESXi Attacks Critical Canon MailSuite Vulnerability Enables Remote Code Execution Attacks Pardus Linux Local Privilege Escalation Flaw Allows Silent Root Access Latest News Cyber Security News PinTheft Linux Vulnerability Let Attackers Gain Root Access – PoC Released ANY.RUN How to Close the Most Expensive Gap in Your SOC  Cyber Security News Grafana GitHub Breach Linked to TanStack npm Supply Chain Ransomware Cyber Security News Pardus Linux Local Privilege Escalation Flaw Allows Silent Root Access Cyber Security News FreePBX Vulnerability Allow Attackers to Gain Access to User Portals