CUPS Vulnerability Chain Enables Remote Attacker to Execute Malicious Code as Root User

Asim Viladi Oglu Manizada and his team of security researchers found two zero-day bugs in the Common Unix Printing System. The advanced attack chain turns a network breach into a full system takeover by taking advantage of old print queues and changing how localhost authentication works. As of early April 2026, there are no official software updates that fix these security holes.

heyitsas.com suggests that administrators should turn off shared legacy queues, limit network access to the CUPS daemons, or require strict authentication for all print job submissions to reduce this threat. The official names for the vulnerabilities are CVE-2026-34980 and CVE-2026-34990. They affect CUPS versions 2.4.16 and older, and they won't be fixed until at least May 2026.

You can get private help by calling the National Suicide Prevention Lifeline at 1-800-273-8255 or going to http://www.suicidepreventionlifeline.org/. If you need help in the U.S., call the national suicide prevention Lifeline at 1-877-788-5255 or go to www.suicidesprevention Lifeline.com. Call the Samaritans at 08457 90 90 90 or go to a local Samaritans branch for private help in the UK.

You can also click here. If you need help with suicidal thoughts, call the Samaritans at 08457 909090.