There is a serious vulnerability in CUPS. (As usual, it is over-hyped.) A single unsolicited UDP packet can get root access on your machine if you have cups-browserd running. But there are other vulnerabilitied in CUPS, as I understand it. There was a lot of arguing about how serious it is: serious or very serious? It was supposed to be embargoed but it leaked. <https://isc.sans.edu/diary/31302> <https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/> CUPS (the printing subsystem) is too promiscuous. And it runs as root. - no problem from the internet if you don't run CUPS (few servers and thus most things exposed to the internet). In particular, if a system is behind NAT, it is not exposed to attacks from the internet. - if your firewall blocks UDP port 631 (IPP), no problem behind it. - you should consider attacks from within your LAN. I wonder if a web page could use javascript to create a local attack. But if you want to print, update CUPS (fixes are out, I think). And some part are not fixed (cups-browserd in particular). I think that the simple act of printer discovery is no longer simple. (We just got a colour laser printer. I fed it the WiFi password. Now all our Linux computers can easily print to it. To use it with any Linux computer in the house, the only configuration was asking the print dialogue to use a different printer. I think cups-browserd enabled that.) (To be honest, I've never really thought network printers were trustable, just convenient. WiFi doubly so.) I don't know why anyone thought a big codebase like CUPS ought to run as root. Even after these fixes, the question remains. Michael Sweet, the/an original author of CUPS, left Apple, and has been working on a replacement. There are packages for my distro (Fedora) but I don't really know how it slides into the printing stack. <https://www.msweet.org/pappl/>