Description
OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, in a network-exposed cupsd with a shared target queue, an unauthorized client can send a Print-Job to that shared PostScript queue without authentication. The server accepts a page-border value supplied as textWithoutLanguage, preserves an embedded newline through option escaping and reparse, and then reparses the resulting second-line PPD: text as a trusted scheduler control record. A follow-up raw print job can therefore make the server execute an attacker-chosen existing binary such as /usr/bin/vim as lp. At time of publication, there are no publicly available patches.
Published: 2026-04-03
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution via lp
Action: Assess Impact
AI Analysis

Impact

CUPS versions 2.4.16 and earlier allow an attacker who can access a network‑exposed cupsd with a shared PostScript queue to send a Print‑Job without authentication. The server accepts a page‑border value, preserves an embedded newline, re‑escapes and re‑parses the resulting text, and then interprets the second‑line PPD as a trusted scheduler control record (CWE‑20). A follow‑up raw print job can cause the scheduler to execute an attacker‑chosen binary, such as /usr/bin/vim, under the privileges of the lp user (CWE‑78). This yields remote code execution without requiring any privileged authentication.

Affected Systems

The vulnerability impacts the OpenPrinting CUPS printing system on any Linux or Unix‑like operating system where cupsd is exposed over the network and a target queue is marked as shared. It applies to installations running CUPS 2.4.16 or earlier regardless of the specific distribution or configuration.

Risk and Exploitability

The CVSS score of 6.1 indicates moderate severity. EPSS data is not available and the issue is not listed in the CISA KEV catalog, but the lack of authentication combined with network exposure makes exploitation straightforward for any adversary with network access to the cupsd daemon. The attack requires only a crafted Print‑Job sent to the shared queue; additional constraints such as firewall restriction or disabling shared queues reduce the attack surface. Until a patch is released, exposed hosts remain at significant risk of remote code execution.

Generated by OpenCVE AI on April 4, 2026 at 04:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a vendor patch for CUPS once it is released
  • Disable the shared attribute on target queues or remove the shared queue entirely
  • Restrict network access to the cupsd daemon with firewall rules to allow only trusted hosts
  • Continuously monitor vendor advisories and apply updates promptly when available

Generated by OpenCVE AI on April 4, 2026 at 04:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:openprinting:cups:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L'}

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Openprinting
Openprinting cups
Vendors & Products Openprinting
Openprinting cups

Mon, 06 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 04 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-78
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L'}

threat_severity

Moderate

Fri, 03 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Description OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, in a network-exposed cupsd with a shared target queue, an unauthorized client can send a Print-Job to that shared PostScript queue without authentication. The server accepts a page-border value supplied as textWithoutLanguage, preserves an embedded newline through option escaping and reparse, and then reparses the resulting second-line PPD: text as a trusted scheduler control record. A follow-up raw print job can therefore make the server execute an attacker-chosen existing binary such as /usr/bin/vim as lp. At time of publication, there are no publicly available patches.
Title OpenPrinting CUPS: Shared PostScript queue lets anonymous Print-Job requests reach `lp` code execution over the network
Weaknesses CWE-20
References
Metrics cvssV4_0

{'score': 6.1, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Openprinting Cups
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-06T13:12:43.625Z

Reserved: 2026-03-31T19:38:31.617Z

Link: CVE-2026-34980

cve-icon Vulnrichment

Updated: 2026-04-06T13:12:39.119Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-03T22:16:27.243

Modified: 2026-04-16T18:28:13.903

Link: CVE-2026-34980

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-03T21:18:09Z

Links: CVE-2026-34980 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-06T22:22:07Z

Weaknesses