Full Report
CUPS security advisory (AV26-326)
Analysis Summary
# Vulnerability: CUPS Remote Code Execution and Information Disclosure
## CVE Details
- **CVE ID:** CVE-2026-34980
- **CVSS Score:** 9.8 (Critical)
- **CWE:** Not specified (Likely CWE-94: Improper Control of Generation of Code)
- **CVE ID:** CVE-2026-34990
- **CVSS Score:** 7.5 (High)
- **CWE:** CWE-200 (Information Exposure)
## Affected Systems
- **Products:** Common UNIX Printing Systems (CUPS)
- **Versions:** Version 2.4.16 and all prior versions.
- **Configurations:** Systems running `cupsd` with shared PostScript queues or environments utilizing temporary printer features.
## Vulnerability Description
The advisory describes a chain of vulnerabilities within the OpenPrinting CUPS framework:
- **CVE-2026-34980:** A critical flaw where a shared PostScript queue allows anonymous `Print-Job` requests to achieve code execution over the network. This occurs because malicious PostScript data can reach the `lp` backend/filters without proper sanitization, leading to remote code execution (RCE) with the privileges of the printing service.
- **CVE-2026-34990:** A vulnerability involving temporary printers that allows for the disclosure of local print administrator tokens. This could allow an attacker to escalate privileges or perform administrative actions on the printing subsystem.
## Exploitation
- **Status:** PoC details available (referenced as "Remote Unauth'd RCE-to-root Chain").
- **Complexity:** Low to Medium (depending on network configuration and queue sharing).
- **Attack Vector:** Network (Remote).
## Impact
- **Confidentiality:** High (Token disclosure and potential access to printed documents).
- **Integrity:** High (Arbitrary code execution on the spooler).
- **Availability:** High (Potential to crash the print service or take over the host).
## Remediation
### Patches
- Users should update to **CUPS version 2.4.17** or later (as implied by the "2.4.16 and prior" vulnerability status).
- Check specific Linux distribution repositories (Debian, Ubuntu, RHEL, etc.) for backported security patches.
### Workarounds
- **Disable Network Sharing:** If network printing is not required, disable the sharing of printer queues in `cupsd.conf`.
- **Restrict Access:** Implement firewall rules to block access to the CUPS port (default UDP/TCP 631) from untrusted networks.
- **Stop CUPS Service:** In environments where printing is not essential, stop and mask the `cups` service.
## Detection
- **Indicators of compromise:**
- Unusual processes spawned by the `lp` user or `cupsd`.
- Unexpected entries in `/var/log/cups/access_log` showing anonymous `Print-Job` requests from external IP addresses.
- Presence of unauthorized temporary printers in the CUPS web interface or via `lpstat -a`.
- **Detection methods and tools:**
- Monitor for outbound network connections initiated by the CUPS service.
- Use file integrity monitoring (FIM) on CUPS filter directories (e.g., `/usr/lib/cups/filter/`).
## References
- [Canadian Centre for Cyber Security Advisory](hXXps://www.cyber.gc.ca/en/alerts-advisories/cups-security-advisory-av26-326)
- [OpenPrinting Advisory (CVE-2026-34990)](hXXps://github.com/OpenPrinting/cups/security/advisories/GHSA-c54j-2vqw-wpwp)
- [OpenPrinting Advisory (CVE-2026-34980)](hXXps://github.com/OpenPrinting/cups/security/advisories/GHSA-4852-v58g-6cwf)
- [Technical Analysis - Spooler Alert](hXXps://heyitsas.im/posts/cups/)