Critical RCE-to-Root Chain Discovered in CUPS: Two Chained Vulnerabilities Enable Unauthenticated Remote Privilege Escalation
Key Takeaways
- ▸Two critical CUPS vulnerabilities can be chained to achieve unauthenticated remote code execution escalating to root file writes
- ▸CVE-2026-34980 exploits a PostScript queue parsing bug to execute code as the CUPS service user over the network
- ▸CVE-2026-34990 enables local privilege escalation through auth token capture and race condition exploitation, affecting default CUPS configurations
Summary
Security researcher hnpufflib has disclosed two critical vulnerabilities in CUPS (Common Unix Printing System), CVE-2026-34980 and CVE-2026-34990, that can be chained together to allow unauthenticated remote attackers to gain root-level file write access. CVE-2026-34980 enables remote code execution as the CUPS service user (lp) by exploiting a parsing bug that treats attacker-controlled text as trusted queue configuration when submitting malicious print jobs to shared PostScript queues. CVE-2026-34990 then leverages local privilege escalation through print admin token disclosure, allowing unprivileged local users to race against CUPS validation logic and write arbitrary files to sensitive locations like /etc/sudoers.d/.
The discovery was made using a self-orchestrating team of vulnerability hunting agents. The remote RCE component (CVE-2026-34980) requires CUPS to be network-accessible with a shared PostScript queue configured, a configuration choice common in corporate networked printing environments but not typical desktop setups. However, CVE-2026-34990 affects stock CUPS configurations, making it a broader threat. As of April 5, 2026, public commits with fixes exist but no patched release has been made (latest version 2.4.16 remains vulnerable).
- Mitigations include disabling network CUPS exposure, requiring authentication for shared queues, and enforcing AppArmor/SELinux confinement policies
- No patched CUPS release is yet available despite public fix commits being accessible
Editorial Opinion
This vulnerability chain represents a sophisticated attack on a critical system component found across Unix-like environments, demonstrating how legacy features like PostScript queue support can introduce severe security risks. The research highlights the importance of both defense-in-depth approaches (mandatory access controls like SELinux/AppArmor) and responsible disclosure practices. Organizations running CUPS in networked environments should prioritize immediate patching once available, and interim mitigations should be applied urgently given the public availability of proof-of-concept exploits.
