Critical CUPS Vulnerability Chain Enables Remote Root Access
Security researchers led by Asim Viladi Oglu Manizada have uncovered a pair of zero-day vulnerabilities in the Common Unix Printing System (CUPS), tracked as CVE-2026-34980 and CVE-2026-34990, which allow unauthenticated remote attackers to execute arbitrary code with root privileges. The flaws affect CUPS versions 2.4.16 and older, posing a severe risk of full system compromise.
The attack exploits a two-stage chain, beginning with CVE-2026-34980, which targets CUPS’ default policy of accepting anonymous print jobs on exposed shared PostScript queues. By sending a maliciously crafted print request containing embedded newline characters, attackers bypass authentication and inject malicious commands into the scheduler’s control records. This grants remote code execution (RCE) as the unprivileged "lp" user.
The second flaw, CVE-2026-34990, enables privilege escalation to root. Attackers exploit CUPS’ policy allowing low-privilege accounts to create temporary local printers without admin approval. By intercepting the setup process, they steal a reusable local authorization token, then manipulate a race condition to overwrite system files, achieving arbitrary root file access.
As of early April 2026, no official patches are available. The initial RCE requires exposed shared PostScript queues, a deliberate configuration choice. Mitigation strategies include disabling legacy queues, restricting CUPS network exposure, enforcing strict authentication, and deploying mandatory access controls (AppArmor/SELinux) to limit damage from compromised processes.
Source: https://cybersecuritynews.com/cups-vulnerability-remote-attack/
sharecommonwealth.com cybersecurity rating report: https://www.rankiteo.com/company/commonwealth
"id": "COM1775622252",
"linkid": "commonwealth",
"type": "Vulnerability",
"date": "4/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Technology/IT Infrastructure',
'type': 'Software/System'}],
'attack_vector': 'Remote',
'date_detected': '2026-04',
'date_publicly_disclosed': '2026-04',
'description': 'Security researchers led by Asim Viladi Oglu Manizada have '
'uncovered a pair of zero-day vulnerabilities in the Common '
'Unix Printing System (CUPS), tracked as CVE-2026-34980 and '
'CVE-2026-34990, which allow unauthenticated remote attackers '
'to execute arbitrary code with root privileges. The flaws '
'affect CUPS versions 2.4.16 and older, posing a severe risk '
'of full system compromise.',
'impact': {'operational_impact': 'Full system compromise with root privileges',
'systems_affected': 'Systems running CUPS versions 2.4.16 and '
'older'},
'initial_access_broker': {'entry_point': 'Exposed shared PostScript queues'},
'post_incident_analysis': {'root_causes': ['Two-stage vulnerability chain in '
'CUPS (CVE-2026-34980 and '
'CVE-2026-34990)',
'Exposed shared PostScript queues '
'with anonymous print job '
'acceptance',
'Race condition enabling privilege '
'escalation']},
'recommendations': ['Disable legacy queues',
'Restrict CUPS network exposure',
'Enforce strict authentication',
'Deploy mandatory access controls (AppArmor/SELinux)'],
'references': [{'source': 'Security Research by Asim Viladi Oglu Manizada'}],
'response': {'containment_measures': ['Disabling legacy queues',
'Restricting CUPS network exposure',
'Enforcing strict authentication',
'Deploying mandatory access controls '
'(AppArmor/SELinux)']},
'title': 'Critical CUPS Vulnerability Chain Enables Remote Root Access',
'type': 'Zero-Day Vulnerability',
'vulnerability_exploited': ['CVE-2026-34980', 'CVE-2026-34990']}