Back

Critical CUPS Vulnerabilities Affecting Multiple Ubuntu Releases

Severity: High (Score: 72.5)

Sources: Linuxsecurity, Ubuntu

Published: 2026-06-08 · Updated: 2026-06-09

Keywords: ubuntu, cups, access, security, issue, critical, denial

Severity indicators: critical, flaw, issue, security issue

Summary

Multiple vulnerabilities have been identified in the Common UNIX Printing System (CUPS) affecting several Ubuntu releases, including 26.04 LTS, 25.10, 24.04 LTS, and 22.04 LTS. Key vulnerabilities include unauthorized access through incorrect username handling (CVE-2026-27447) and denial of service attacks due to improper handling of job attributes (CVE-2026-34979). Remote attackers can exploit these issues to overwrite files and potentially execute arbitrary code. The vulnerabilities were discovered by various researchers, including Ariel Silver and Asim Viladi Oglu Manizada. Affected users are advised to update their systems to mitigate these risks. The vulnerabilities were disclosed on April 3, 2026, and patches are available for all affected versions. Key Points: • CUPS vulnerabilities allow local and remote attackers to exploit systems. • Multiple CVEs (CVE-2026-27447, CVE-2026-34978, CVE-2026-34979) have been identified. • Affected Ubuntu versions include 26.04 LTS, 25.10, 24.04 LTS, and 22.04 LTS.

Detailed Analysis

**Impact** Multiple Ubuntu releases, including 26.04 LTS, 25.10, 24.04 LTS, and 22.04 LTS, are affected by critical vulnerabilities in CUPS. These flaws enable local and remote attackers to gain unauthorized access, cause denial of service, overwrite files, and potentially execute arbitrary code. The vulnerabilities impact systems running CUPS in enterprise, government, and other sectors relying on Ubuntu for printing services, potentially disrupting operations and exposing sensitive data. **Technical Details** The vulnerabilities involve incorrect handling of username comparisons (CVE-2026-27447), notify-recipient-uri values in the RSS notifier (CVE-2026-34978), filter option strings in job attributes (CVE-2026-34979), page-border values in PostScript queues (CVE-2026-34980), localhost authentication to attacker-controlled IPP services (CVE-2026-34990), negative job-password-supported values (CVE-2026-39314), temporary printer deletion (CVE-2026-39316), and malformed SNMP responses (CVE-2026-41079). Attack vectors include local privilege escalation and remote denial of service or code execution. No specific malware or IOCs were reported. **Recommended Response** Apply the updated CUPS packages immediately: cups 2.4.16-1ubuntu1.2 for Ubuntu 26.04 LTS, 2.4.12-0ubuntu3.9 for 25.10, 2.4.7-1.2ubuntu7.13 for 24.04 LTS, and 2.4.1op1-1ubuntu4.20 for 22.04 LTS. Conduct standard system updates to ensure all fixes are applied. Monitor printing service logs for unusual access attempts or crashes. No additional detection signatures or IOC-based blocks were provided.

Source articles (2)

  • USN-8405-1: CUPS vulnerabilities — Ubuntu · 2026-06-08
    Ariel Silver discovered that CUPS incorrectly handled username comparisons during authorization checks. A local attacker could possibly use this issue to gain unauthorized access to restricted operati…
  • Ubuntu 26.04 CUPS Critical Denial of Service and Access Flaws USN-8405 — Linuxsecurity · 2026-06-08
    A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 26.04 LTS - Ubuntu 25.10 - Ubuntu 24.04 LTS - Ubuntu 22.04 LTS Summary: Several security issues were fixed in CUPS. Soft…

Timeline

  • 2026-04-03 — Multiple CUPS vulnerabilities disclosed: CVE-2026-27447, CVE-2026-34978, CVE-2026-34979, CVE-2026-34980, and CVE-2026-34990 were published, impacting CUPS functionality.
  • 2026-04-03 — CVE-2026-34978 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-04-03 — CVE-2026-34990 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-04-03 — CVE-2026-34980 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-04-03 — CVE-2026-27447 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-04-03 — CVE-2026-34979 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-04-07 — CVE-2026-39316 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-04-07 — CVE-2026-39314 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-04-24 — Additional vulnerabilities published: CVE-2026-41079 was published, adding to the list of vulnerabilities affecting CUPS.
  • 2026-04-24 — CVE-2026-41079 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.

CVEs

  • CVE-2026-27447
  • CVE-2026-34978
  • CVE-2026-34979
  • CVE-2026-34980
  • CVE-2026-34990
  • CVE-2026-39314
  • CVE-2026-39316
  • CVE-2026-41079

Related entities

  • DDoS (Attack Type)
  • Denial of Service (Attack Type)
  • CWE-200 - Exposure of Sensitive Information (Cwe)
  • CWE-287 - Improper Authentication (Cwe)
  • CUPS (Platform)
  • Ubuntu Pro (Platform)
  • Ubuntu (Company)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed