Critical CUPS Vulnerabilities Expose Linux Systems to RCE and Privilege Escalation
Ubuntu has released security patches for five critical vulnerabilities in CUPS that allow local and remote attackers to execute arbitrary code, escalate privileges, and cause denial of service. Organizations running affected CUPS versions should apply updates immediately.
TL;DR
- Five CVEs patched in CUPS affecting authorization, file handling, and authentication mechanisms
- Remote code execution possible via malformed PostScript queue parameters and filter option strings
- Local privilege escalation through username comparison flaws and localhost authentication bypass
- File overwrite and DoS attacks exploitable through RSS notifier and page-border value handling
- USN-8405-1 applies to multiple Ubuntu releases; immediate patching recommended
Canonical has released security notice USN-8405-1 addressing five vulnerabilities in CUPS (Common Unix Printing System), a widely deployed print server used across Linux distributions. The flaws range from local privilege escalation to remote code execution, affecting authorization checks, file handling, and authentication logic.
These vulnerabilities expose both local and remote attack surfaces. Attackers can exploit improper username comparisons to bypass authorization, manipulate PostScript queue settings for code execution, and leverage localhost authentication weaknesses to write arbitrary files. Organizations relying on CUPS for print infrastructure should prioritize patching.
Vulnerability Breakdown
- CVE-2026-27447: Authorization bypass via flawed username comparison logic during access control checks
- CVE-2026-34978: RSS notifier file overwrite and DoS through malformed notify-recipient-uri values
- CVE-2026-34979: Arbitrary code execution or crash via malicious filter option strings in job attributes
- CVE-2026-34980: Remote code execution through crafted page-border values in shared PostScript queues
- CVE-2026-34990: File overwrite and code execution by exploiting localhost authentication to attacker-controlled IPP services
Attack Surface and Risk
- Local attackers can escalate privileges and gain unauthorized access to restricted print operations
- Remote attackers can trigger denial of service and execute code via network-accessible CUPS instances
- Shared PostScript queue configurations present heightened risk for remote exploitation
- Localhost authentication bypass enables file manipulation and arbitrary code execution on the print server
- Organizations with internet-facing or network-exposed CUPS services face immediate exploitation risk
Remediation Guidance
- Apply USN-8405-1 patches across all affected Ubuntu releases immediately
- Restrict CUPS access to trusted networks and disable remote printing if not required
- Audit CUPS configurations, particularly shared PostScript queues and authentication settings
- Monitor CUPS logs for suspicious authorization attempts and malformed job submissions
- Consider network segmentation to isolate print infrastructure from untrusted systems
Sources
Sources
Security email updates
One digest email when we publish new security articles (TL;DR plus links to read more). Unsubscribe anytime from the message footer. See our Privacy Policy.