A SpaceX security engineer used AI agents to find critical CUPS vulnerabilities — and their method, not the CVEs, is what should keep infrastructure teams awake at night.
image from grok
A SpaceX security researcher discovered two CUPS zero-day vulnerabilities (CVE-2026-34980, CVE-2026-34990) enabling unauthenticated remote root access on Linux/Unix systems. CVE-2026-34980 exploits a newline injection in page-border options to achieve RCE as the lp user via PostScript queue manipulation, while CVE-2026-34990 leverages a race condition in token validation for local root file overwrite. The notable aspect is that the research was conducted using self-orchestrating AI agent teams, a methodology the researcher argues is particularly suited to vulnerability research's expansive search spaces.
A SpaceX security engineer has disclosed two vulnerabilities in CUPS, the print server bundled with nearly every Linux and Unix system, that chain to unauthenticated remote root access. The vector is a network-accessible CUPS instance with a shared PostScript queue; the payoff is code execution as the lp user, escalating to arbitrary root file overwrite when chained. What makes this disclosure different from a standard CVE drop is the methodology: Asim Viladi Oglu Manizada ran a team of self-orchestrating AI agents across the vulnerability research task, and argues the approach is specifically well-suited to the problem.
The findings, CVE-2026-34980 and CVE-2026-34990, were published to the OpenPrinting GitHub security advisories on April 6th. Manizada documented the full exploitation chain on his personal blog. As of April 5th, no patched CUPS release exists, though public commits with fixes are available.
CVE-2026-34980 exploits the fact that CUPS's default policy accepts anonymous Print-Job requests to shared queues, and a page-border option value survives a serialization/deserialization roundtrip with its embedded newline intact. That newline lets an attacker smuggle a second line beginning with PPD:, which CUPS treats as a trusted scheduler control record, injecting attacker-controlled options into the queue configuration. The practical result: a second raw print job triggers execution of an attacker-chosen existing binary as the lp user. The proof-of-concept uses vim. This requires CUPS to be network-accessible with a shared PostScript queue, which Manizada notes is a deliberate server configuration, not a default desktop setup.
CVE-2026-34990 is local and works on a default CUPS install. Any unprivileged local user who can reach the CUPS listener on localhost can create a temporary printer, capture the administrative authentication token CUPS issues during validation, and use it to race CUPS's own cleanup logic to overwrite arbitrary files as root. The proof-of-concept writes to /etc/sudoers.d/. Chaining both vulnerabilities converts the unauth remote RCE into full remote root file overwrite.
SELinux and AppArmor, the Linux security modules that enforce process confinement policies, limit the blast radius. Where CUPS runs under a reasonable security policy, the second vulnerability cannot write outside permitted paths. Many distributions ship with such confinement enabled by default.
Manizada's methodology is the part that connects this to the agent infrastructure beat. He describes running a team of agents that self-orchestrate: subdividing the research task, coordinating findings, and iterating without a human driving every step. His observation is that vulnerability research is well-suited to this pattern because the search space is large, the subtasks are narrow and well-defined, and the output is verifiable. He was not the first to apply agentic reasoning to security research, but the CUPS attack surface is real, the findings are genuine CVEs with public exploits, and the chain to root is complete.
The work was directly inspired by Simone Margaritelli's 2024 research, which [chained several CUPS vulnerabilities into unauthenticated remote code execution as lp](https://www.theregister.com/2026/04/06/ai_agents_cups_server_rce/). Manizada's contribution extends that chain to root and introduces the agentic methodology as a structural feature rather than a novelty.
No signs of active exploitation have been observed as of publication. Standard remediation applies: do not expose CUPS over the network with a shared PostScript queue, require authentication for job submissions where shared queues are necessary, and ensure CUPS runs under a security module policy that constrains file writes.
The agentic research angle is not a universal replacement for human security expertise. The CUPS attack surface has been worked over by human researchers for years. But the pattern is real, and the implications scale with capability: if self-orchestrating agent teams can reliably surface new vulnerability classes in legacy system code, the discoverable vulnerability surface shrinks faster than the human researcher community can cover. The open question is not whether AI agents can find real bugs, but who deploys them first and against what targets.
Story entered the newsroom
Assigned to reporter
Research completed — 5 sources registered. Verified: CVE-2026-34980 and CVE-2026-34990 are real, affecting CUPS 2.4.16. Researcher is SpaceX security engineer Asim Viladi Oglu Manizada. CVE-202
Draft (564 words)
Approved for publication
Published (627 words)
Get the best frontier systems analysis delivered weekly. No spam, no fluff.
Agentics · 4h 37m ago · 3 min read
Agentics · 6h 34m ago · 4 min read
