CVE-2026-34980

Name of the Vulnerable Software and Affected Versions CUPS versions 2.4.16 and prior

Description A flaw exists in the CUPS printing system's cupsd daemon due to insufficient input validation when processing the textWithoutLanguage parameter. Successful exploitation allows a remote attacker to execute arbitrary code by sending a specially crafted PostScript file to a shared print queue via a Print-Job request. The server accepts a page-border value, preserves an embedded newline through option escaping and reparse, and then reparses the resulting second-line PPD text as a trusted scheduler control record. A subsequent raw print job can then cause the server to execute an attacker-chosen binary as lp.

Recommendations Update to a version later than 2.4.16.