Full Report
CUPS server shown spilling out remote code execution and root access In the latest chapter on leaky CUPS, a security researcher and his band of bug-hunting agents have found two flaws that can be chained to allow an unauthenticated attacker to remotely execute code and achieve root file overwrite on the network.…
Analysis Summary
# Vulnerability: CUPS PostScript Queue RCE and Root Privilege Escalation Chain
## CVE Details
- **CVE ID:** CVE-2026-34980 (RCE), CVE-2026-34990 (Privilege Escalation)
- **CVSS Score:** Not specified in article (Severity: High/Critical when chained)
- **CWE:** Improper Input Validation / Injection (CVE-2026-34980); Broken Access Control / Credential Leakage (CVE-2026-34990)
## Affected Systems
- **Products:** CUPS (Common Unix Printing System)
- **Versions:** Affected version includes **2.4.16**
- **Configurations:**
- **CVE-2026-34980:** Requires the CUPS server to be network-reachable and expose a **shared PostScript queue**.
- **CVE-2026-34990:** Affects default configurations.
## Vulnerability Description
Two vulnerabilities can be chained to achieve Remote Code Execution (RCE) with Root privileges:
1. **CVE-2026-34980 (Remote Code Execution):** CUPS incorrectly handles newline escaping in option strings. An attacker can embed malicious code into an anonymous print job. Because CUPS treats "PPD:" as a trusted control record, the attacker can modify the queue configuration to inject malicious entries and trick the server into executing localized binaries (e.g., `/usr/bin/vim`) as the `lp` user.
2. **CVE-2026-34990 (Root File Overwrite):** An authorization flaw allows a local user to trick the CUPS scheduler daemon (`cupsd`) into authenticating to an attacker-controlled localhost IPP service. This leaks a reusable `Authorization: Local ...` token, which provides the permissions necessary to perform arbitrary root file overwrites.
## Exploitation
- **Status:** PoC available (contained within maintainer-released advisories). No confirmed exploitation in the wild as of the report date.
- **Complexity:** Low (Trivially exploitable via automated tools or LLMs).
- **Attack Vector:** Network (unauthenticated) when chained; Local (for the privilege escalation component).
## Impact
- **Confidentiality:** High (Full system access via Root)
- **Integrity:** High (Ability to overwrite any file on the system)
- **Availability:** High (Potential for system disruption/deletion)
## Remediation
### Patches
- As of the article date, a new official version (e.g., 2.4.17) is pending, but **public commits with fixes** are available on the OpenPrinting GitHub repository.
- Users should monitor their distribution’s package manager for emergency CUPS updates.
### Workarounds
- **Disable Shared Queues:** Ensure CUPS is not configured to share printers over the network unless absolutely necessary.
- **Firewalling:** Restrict access to the CUPS port (default 631) to trusted internal IP addresses only.
- **Disable PostScript Queues:** Temporary removal of shared PostScript-specific queues if they are not critical to operations.
## Detection
- **Indicators of Compromise:**
- Unusual child processes spawned by `cupsd` (e.g., unexpected binaries like `vim` or shells running under the `lp` user).
- Modification of PPD files in `/etc/cups/ppd/`.
- Localhost IPP traffic directed toward non-standard or unauthorized local ports.
- **Detection methods:** Audit CUPS logs and monitor for "PPD:" injections in job submission metadata.
## References
- Vendor Advisory (CVE-2026-34980): hxxps://github[.]com/OpenPrinting/cups/security/advisories/GHSA-4852-v58g-6cwf
- Vendor Advisory (CVE-2026-34990): hxxps://github[.]com/OpenPrinting/cups/security/advisories/GHSA-c54j-2vqw-wpwp
- Researcher Analysis: hxxps://heyitsas[.]im/posts/cups/