Critical CUPS Vulnerability Chain Allows Remote Code Execution as Root

A team of AI-powered vulnerability discovery agents led by security researcher Asim Viladi Oglu Manizada has uncovered two critical flaws in the Common Unix Printing System (CUPS), widely used across Linux and Unix-like operating systems.

When chained together, these vulnerabilities allow a remote attacker to execute malicious code and ultimately gain full root-level access to affected systems.

CUPS is a core component in many enterprise and server environments, responsible for managing print jobs and queues.

Because the CUPS scheduler runs with elevated system privileges, it represents a valuable target for attackers seeking to compromise systems.

The first flaw, tracked as CVE-2026-34980, enables remote code execution (RCE) on systems that expose shared PostScript print queues without authentication.

By default, CUPS allows anonymous users to submit print jobs to shared queues, which significantly increases the attack surface.

The vulnerability stems from improper input sanitization when processing print job attributes. Specifically, attackers can inject a newline character into a print option, which is not correctly filtered by the system.

This allows malicious input to bypass security checks and be interpreted as a legitimate configuration command.

By exploiting this parsing flaw, an attacker can modify printer queue settings to execute arbitrary programs as a print filter.

As a result, they gain remote code execution under the privileges of the CUPS service account, providing an initial foothold on the system as reported by heyitsas.

The second vulnerability, CVE-2026-34990, enables local privilege escalation to root. Unlike the first issue, this flaw affects default CUPS configurations and does not require special setup.

In this attack, a low-privileged user creates a fake local printer that listens on a specific port. When CUPS attempts to validate the printer, the attacker intercepts the process and tricks the system into exposing a highly privileged administrative token.

Using this token, the attacker creates another temporary print queue that points to sensitive file paths on the system.

By exploiting a race condition before the system removes the temporary queue, the attacker can write malicious content directly into protected system files.

This effectively results in arbitrary file overwrite with root privileges, allowing complete system takeover.

When combined, these two vulnerabilities form a powerful attack chain. An unauthenticated remote attacker can first gain code execution via CVE-2026-34980, then leverage CVE-2026-34990 to escalate privileges and achieve full root access.

As of early April 2026, code commits addressing these issues have been published, but official patched releases are not yet available.

Security experts strongly recommend that administrators immediately reduce exposure by disabling network access to CUPS services wherever possible. If shared printing is required, enforcing strict authentication mechanisms is critical.

Additionally, deploying security frameworks such as AppArmor or SELinux can help contain the impact of exploitation by restricting file system access.

These controls can prevent attackers from overwriting sensitive files, even if initial access is gained.

Organizations running Linux servers or networked printing services should treat these vulnerabilities as high risk and take proactive mitigation steps until official patches are released.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google

The post Critical CUPS Vulnerability Chain Allows Remote Code Execution as Root appeared first on Cyber Security News.