Platform
linux
Component
cups
Fixed in
2.4.17
CVE-2026-34990 describes a local privilege escalation vulnerability discovered in CUPS (Common Unix Printing System) versions 2.4.16 and prior. An attacker can leverage this flaw to gain root access by coercing the CUPS daemon into authenticating to a malicious IPP service and subsequently overwriting files. The vulnerability impacts Linux and other Unix-like operating systems utilizing CUPS, and a fix is available in version 2.4.17.
This vulnerability allows a local, unprivileged user to achieve arbitrary root file overwrite. The attack chain involves tricking the CUPS daemon (cupsd) into authenticating to a controlled IPP service using a reusable authorization token. This token then allows the attacker to submit /admin/ requests on localhost. Crucially, combining CUPS-Create-Local-Printer with printer-is-shared=true enables the creation of a persistent file:///... queue, bypassing normal file device policies. Printing to this queue results in arbitrary root file overwrite, effectively granting the attacker complete control over the system’s file system. This is a critical vulnerability due to its potential for complete system compromise.
This vulnerability was publicly disclosed on 2026-04-03. A proof-of-concept (PoC) is publicly available, demonstrating the exploit's feasibility. The vulnerability is not currently listed on CISA KEV, and its EPSS score is pending evaluation. Active exploitation campaigns have not been confirmed at the time of writing, but the availability of a PoC increases the risk of exploitation.
Exploit Status
EPSS
0.01% (2% percentile)
The primary mitigation is to upgrade CUPS to version 2.4.17 or later, which contains the fix for this vulnerability. If upgrading is not immediately feasible, consider implementing temporary workarounds. Restricting access to the /admin/ endpoint via firewall rules or access control lists can limit the attack surface. Monitoring CUPS logs for suspicious authentication attempts or printer creation activity is also recommended. While a WAF is unlikely to directly mitigate this, it could potentially detect and block malicious IPP requests. After upgrading, verify the fix by attempting to create a shared printer with a file:/// URI and confirming that the creation fails.
Update CUPS to version 2.4.17 or later to mitigate the vulnerability. This update corrects the way CUPS handles token authentication, preventing local admin token disclosure and arbitrary command execution.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34990 is a local privilege escalation vulnerability in CUPS versions 2.4.16 and earlier, allowing an unprivileged user to overwrite arbitrary files as root.
If you are running CUPS version 2.4.16 or earlier, you are potentially affected by this vulnerability. Upgrade to 2.4.17 or later to mitigate the risk.
The recommended fix is to upgrade CUPS to version 2.4.17 or later. As a temporary workaround, restrict access to the /admin/ endpoint and monitor CUPS logs.
While active exploitation campaigns have not been confirmed, a public proof-of-concept exists, increasing the likelihood of exploitation.
Refer to the OpenPrinting CUPS security advisory for detailed information and updates: https://www.openprinting.org/security/.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.