Security researcher Asim has identified two high-severity vulnerabilities in the Common Unix Printing System (CUPS), the standard printing architecture for Linux and Unix-like operating systems. The flaws, tracked as CVE-2026-34980 and CVE-2026-34990, can be chained to allow an unauthenticated remote attacker to achieve remote code execution (RCE) and subsequently gain root file system access.
CUPS manages print jobs through a complex, network-exposed server. The research highlights that the service processes untrusted printer metadata and configuration files, creating a significant attack surface. By exploiting a parsing bug in shared PostScript queues, an attacker can manipulate the system into executing arbitrary code under the 'lp' service user account.
Exploiting local print administration
The second vulnerability, CVE-2026-34990, provides a path for local privilege escalation. An unprivileged user can set up a malicious listener and trick CUPS into authenticating against it. By capturing the resulting authorization token, the attacker can manipulate printer queues to overwrite arbitrary system files, such as /etc/sudoers.d, with root-level permissions.
While the RCE vulnerability requires the CUPS server to be configured to share PostScript queues over a network, the local privilege escalation flaw affects systems using default configurations. The researcher noted that while fixes have been committed to the project's source code, an official patched release is not yet available.
Security experts recommend that administrators immediately disable network exposure for CUPS queues. If remote printing is a business requirement, administrators should enforce strict authentication for all job submissions. Utilizing security modules like AppArmor or SELinux remains a critical defense, as these policies can restrict the impact of a potential compromise by limiting the file paths the CUPS process can access.