CUPS has two newly discovered vulnerabilities, CVE-2026-34980 and CVE-2026-34990, that can be exploited by unauthenticated attackers for remote code execution. These flaws affect CUPS 2.4.16 and require specific network configurations, making them more relevant in corporate settings. CVE-2026-34980 allows attackers to submit print jobs to a shared PostScript queue, while CVE-2026-34990 is an authorization flaw that can be chained with the first vulnerability. Public commits for fixes are available, but no patched version has been released yet.
"CVE-2026-34980 requires the CUPS server to be reachable over the network and expose a shared PostScript queue. This configuration allows other computers on the network to share access to a printer, so it's more likely to be used in business environments."
"Assuming those prerequisites are met, CVE-2026-34980 can be used by an unauthenticated attacker to submit a print job to the shared PostScript queue and achieve remote code execution as lp."
"CVE-2026-34990 is an authorization flaw that works on the default configuration, allowing it to be chained with CVE-2026-34980 for further exploitation."
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]