A SpaceX security engineer and his AI-powered vulnerability hunting agents discovered two chained flaws in CUPS (Common Unix Printing System) version 2.4.16. CVE-2026-34980 allows an unauthenticated attacker to achieve remote code execution as lp on systems with a shared PostScript queue, by exploiting CUPS' default anonymous print-job policy and a newline-escaping bug. CVE-2026-34990 is an authorization flaw that lets a low-privileged user trick the CUPS scheduler into leaking a reusable auth token, enabling arbitrary root file overwrite. Chained together, these bugs give an unauthenticated remote attacker root file overwrite. No patched release exists yet, but public commits with fixes are available. The researcher notes AI agents are increasingly effective at narrowing vulnerability search spaces, while human maintainers struggle to keep pace with patching.
Table of contents
How it worksSort: