"CVE-2026-34980 requires the CUPS server to be reachable over the network and expose a shared PostScript queue. This configuration allows other computers on the network to share access to a printer, so it's more likely to be used in business environments."
"Assuming those prerequisites are met, CVE-2026-34980 can be used by an unauthenticated attacker to submit a print job to the shared PostScript queue and achieve remote code execution as lp."
"CVE-2026-34990 is an authorization flaw that works on the default configuration, allowing it to be chained with CVE-2026-34980 for further exploitation."
CUPS has two newly discovered vulnerabilities, CVE-2026-34980 and CVE-2026-34990, that can be exploited by unauthenticated attackers for remote code execution. These flaws affect CUPS 2.4.16 and require specific network configurations, making them more relevant in corporate settings. CVE-2026-34980 allows attackers to submit print jobs to a shared PostScript queue, while CVE-2026-34990 is an authorization flaw that can be chained with the first vulnerability. Public commits for fixes are available, but no patched version has been released yet.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]