CVE-2026-34980
Published: 03 April 2026
Summary
CVE-2026-34980 is a high-severity Improper Input Validation (CWE-20) vulnerability in Openprinting Cups. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and CM-7 (Least Functionality).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the improper input validation of the crafted page-border value containing embedded newlines that leads to reparsing as trusted scheduler controls.
Limits and authorizes specific actions like Print-Job submissions without identification or authentication on shared PostScript queues, preventing unauthorized exploitation.
Restricts system functionality by prohibiting or disabling unnecessary shared target queues and PostScript processing exposed to the network.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows unauthenticated remote exploitation of the network-exposed CUPS service (T1190: Exploit Public-Facing Application) resulting in execution of attacker-chosen binaries as the lp user via the Unix environment (T1059.004: Unix Shell).
NVD Description
OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, in a network-exposed cupsd with a shared target queue, an unauthorized client can send a Print-Job to that shared PostScript…
more
queue without authentication. The server accepts a page-border value supplied as textWithoutLanguage, preserves an embedded newline through option escaping and reparse, and then reparses the resulting second-line PPD: text as a trusted scheduler control record. A follow-up raw print job can therefore make the server execute an attacker-chosen existing binary such as /usr/bin/vim as lp. At time of publication, there are no publicly available patches.
Deeper analysisAI
CVE-2026-34980 is an improper input validation vulnerability (CWE-20) affecting OpenPrinting CUPS, an open source printing system for Linux and other Unix-like operating systems, in versions 2.4.16 and prior. The issue resides in network-exposed instances of cupsd configured with a shared target queue. An unauthorized client can submit a Print-Job to the shared PostScript queue without authentication. The server accepts a specially crafted page-border value supplied as textWithoutLanguage, which preserves an embedded newline through option escaping and reparse mechanisms. This causes the server to reparse the resulting second-line PPD text as a trusted scheduler control record.
Exploitation requires an attacker with adjacent network access (AV:A) and involves high attack complexity (AC:H), with no privileges (PR:N) or user interaction (UI:N) needed, yielding a CVSS v3.1 base score of 7.5 (High) due to high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H). A follow-up raw print job can then leverage the manipulated control to execute an attacker-chosen existing binary, such as /usr/bin/vim, running as the lp user.
The GitHub Security Advisory (GHSA-4852-v58g-6cwf) confirms that, at the time of publication on 2026-04-03, no publicly available patches exist for this vulnerability.
No real-world exploitation has been reported in available information.
Details
- CWE(s)