CVE-2026-34980

OpenPrinting CUPS: Shared PostScript queue lets anonymous Print-Job requests reach `lp` code execution over the network

CVSS 6.1 MEDIUMEPSS 0.5%CWE-20

In short

A vulnerability in CUPS printing system allows anyone on the network to send print jobs to a shared queue without logging in, potentially running malicious commands on the server. This happens because the system doesn't properly validate input data in print job settings.

Technical detail

CWE-20 (improper input validation) in CUPS 2.4.16 and prior allows unauthenticated remote attackers to achieve arbitrary code execution as the 'lp' user via crafted Print-Job requests to exposed shared PostScript queues. The attack exploits improper parsing of the page-border parameter, where embedded newlines bypass escaping mechanisms, allowing injection of PPD scheduler control records that execute arbitrary binaries.

Summary generated and translated by AI from the official description.

OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, in a network-exposed cupsd with a shared target queue, an unauthorized client can send a Print-Job to that shared PostScript queue without authentication. The server accepts a page-border value supplied as textWithoutLanguage, preserves an embedded newline through option escaping and reparse, and then reparses the resulting second-line PPD: text as a trusted scheduler control record. A follow-up raw print job can therefore make the server execute an attacker-chosen existing binary such as /usr/bin/vim as lp. At time of publication, there are no publicly available patches.

CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N

Affected products

OpenPrinting · cups

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/OpenPrinting/cups/security/advisories/GHSA-4852-v58g-6cwf