It is possible to cause cups-exec to execute backends without a sandbox profile by causing cupsdCreateProfile() to fail. An attacker that has obtained sandboxed root access can accomplish this by setting the CUPS temporary directory to immutable using chflags, which will prevent the profile from being written to disk.
Created cups tracking bugs for this issue:
Affects: fedora-all [bug 1607293]
Fedora and RHEL are not affected by this flaw since Sandbox feature is not enabled on Linux.
This issue did not affect the versions of cups as shipped with Red Hat Enterprise Linux as cups on Linux does not support the Sandbox feature.