Posts on Hey, it's Asim https://heyitsas.im/posts/ Recent content in Posts on Hey, it's Asim Hugo -- gohugo.io en-us © 2026 Asim Viladi Oglu Manizada Sun, 05 Apr 2026 00:00:00 +0000 Spooler Alert: Remote Unauth'd RCE-to-root Chain in CUPS https://heyitsas.im/posts/cups/ Sun, 05 Apr 2026 00:00:00 +0000 https://heyitsas.im/posts/cups/ <p><em>TLDR: my self-orchestrating team of <a href="https://www.linkedin.com/posts/yasamal4ik_february-2026-cve-2026-26080-and-cve-2026-activity-7441018899502043136-Rukx" target="_blank" rel="noreferrer">vulnerability hunting agents</a> discovered two issues in CUPS, <a href="https://github.com/OpenPrinting/cups/security/advisories/GHSA-4852-v58g-6cwf" target="_blank" rel="noreferrer">CVE-2026-34980</a> and <a href="https://github.com/OpenPrinting/cups/security/advisories/GHSA-c54j-2vqw-wpwp" target="_blank" rel="noreferrer">CVE-2026-34990</a>, chainable into <code>unauthenticated remote attacker -&gt; unprivileged RCE -&gt; root file (over)write</code>. See below for the prerequisites, details, and mitigation options.</em></p> <nav id="TableOfContents"> <ul> <li><a href="#intro">Intro</a></li> <li><a href="#findings">Findings</a> <ul> <li><a href="#are-you-affected--mitigation">Are you affected? + Mitigation</a></li> </ul> </li> <li><a href="#technical-details">Technical details</a> <ul> <li><a href="#cve-2026-34980-turning-a-print-option-into-scheduler-control-data">CVE-2026-34980: turning a print option into scheduler control data</a></li> <li><a href="#cve-2026-34990-from-lp-to-root-via-localhost-admin-auth-and-file">CVE-2026-34990: from <code>lp</code> to root via localhost admin auth and <code>file:///</code></a></li> </ul> </li> <li><a href="#postscript">PostScript</a></li> </ul> </nav> <h2 class="relative group">Intro <div id="intro" class="anchor"></div> <span class="absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100 select-none"> <a class="text-primary-300 dark:text-neutral-700 !no-underline" href="#intro" aria-label="Anchor">#</a> </span> </h2> <p>CUPS is <em>the</em> standard way to do printing on Linux and other Unix(-like) systems. It&rsquo;s been on my mind as a research target ever since doing incident response to Simone Margaritelli&rsquo;s 2024 <a href="https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/" target="_blank" rel="noreferrer">unauth&rsquo;d RCE finding</a>, where he chained several CUPS vulnerabilities into an unauth&rsquo;d RCE as <code>lp</code>, the default CUPS service user.</p>