Vulnerability-Lookup

WID-SEC-W-2026-1686

Vulnerability from csaf_certbund - Published: 2026-05-26 22:00 - Updated: 2026-05-27 22:00

Summary

Samba: Mehrere Schwachstellen

Severity

Hoch

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung: Samba ist eine Open Source Software Suite, die Druck- und Dateidienste für SMB/CIFS Clients implementiert.

Angriff: Ein Angreifer kann mehrere Schwachstellen in Samba ausnutzen, um beliebigen Programmcode auszuführen, um einen Denial of Service Angriff durchzuführen, um Dateien zu manipulieren, und um Sicherheitsvorkehrungen zu umgehen.

Betroffene Betriebssysteme: - Linux - UNIX

CVE-2026-1933

Affected products

Known affected 6 products

Product	Identifier	Version
Open Source Samba <4.23.8 Open Source / Samba		<4.23.8
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Open Source Samba <4.24.3 Open Source / Samba		<4.24.3
Open Source Samba <4.22.10 Open Source / Samba		<4.22.10

CVE-2026-2340

Affected products

Known affected 6 products

Product	Identifier	Version
Open Source Samba <4.23.8 Open Source / Samba		<4.23.8
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Open Source Samba <4.24.3 Open Source / Samba		<4.24.3
Open Source Samba <4.22.10 Open Source / Samba		<4.22.10

CVE-2026-3012

Affected products

Known affected 6 products

Product	Identifier	Version
Open Source Samba <4.23.8 Open Source / Samba		<4.23.8
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Open Source Samba <4.24.3 Open Source / Samba		<4.24.3
Open Source Samba <4.22.10 Open Source / Samba		<4.22.10

CVE-2026-3238

Affected products

Known affected 6 products

Product	Identifier	Version
Open Source Samba <4.23.8 Open Source / Samba		<4.23.8
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Open Source Samba <4.24.3 Open Source / Samba		<4.24.3
Open Source Samba <4.22.10 Open Source / Samba		<4.22.10

CVE-2026-4408

Affected products

Known affected 6 products

Product	Identifier	Version
Open Source Samba <4.23.8 Open Source / Samba		<4.23.8
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Open Source Samba <4.24.3 Open Source / Samba		<4.24.3
Open Source Samba <4.22.10 Open Source / Samba		<4.22.10

CVE-2026-4480

Affected products

Known affected 6 products

Product	Identifier	Version
Open Source Samba <4.23.8 Open Source / Samba		<4.23.8
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Open Source Samba <4.24.3 Open Source / Samba		<4.24.3
Open Source Samba <4.22.10 Open Source / Samba		<4.22.10

References

12 references

URL	Category
https://wid.cert-bund.de/.well-known/csaf/white/2…	self
https://wid.cert-bund.de/portal/wid/securityadvis…	self
https://www.samba.org/samba/history/samba-4.22.10.html	external
https://www.samba.org/samba/history/samba-4.23.8.html	external
https://www.samba.org/samba/history/samba-4.24.3.html	external
https://ubuntu.com/security/notices/USN-8306-1	external
https://lists.debian.org/debian-security-announce…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.suse.com/pipermail/sle-security-upd…	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Samba ist eine Open Source Software Suite, die Druck- und Dateidienste f\u00fcr SMB/CIFS Clients implementiert.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein Angreifer kann mehrere Schwachstellen in Samba ausnutzen, um beliebigen Programmcode auszuf\u00fchren, um einen Denial of Service Angriff durchzuf\u00fchren, um Dateien zu manipulieren, und um Sicherheitsvorkehrungen zu umgehen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux\n- UNIX",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2026-1686 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-1686.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2026-1686 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1686"
      },
      {
        "category": "external",
        "summary": "Samba 4.22.10 - Release Notes vom 2026-05-26",
        "url": "https://www.samba.org/samba/history/samba-4.22.10.html"
      },
      {
        "category": "external",
        "summary": "Samba 4.23.8 - Release Notes vom 2026-05-26",
        "url": "https://www.samba.org/samba/history/samba-4.23.8.html"
      },
      {
        "category": "external",
        "summary": "Samba 4.24.3 - Release Notes vom 2026-05-26",
        "url": "https://www.samba.org/samba/history/samba-4.24.3.html"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-8306-1 vom 2026-05-26",
        "url": "https://ubuntu.com/security/notices/USN-8306-1"
      },
      {
        "category": "external",
        "summary": "Debian Security Advisory DSA-6297 vom 2026-05-27",
        "url": "https://lists.debian.org/debian-security-announce/2026/msg00208.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:2076-1 vom 2026-05-26",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-May/026314.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:2074-1 vom 2026-05-26",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-May/026315.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:2073-1 vom 2026-05-26",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-May/026316.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:2072-1 vom 2026-05-26",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-May/026317.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:2071-1 vom 2026-05-26",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-May/026318.html"
      }
    ],
    "source_lang": "en-US",
    "title": "Samba: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2026-05-27T22:00:00.000+00:00",
      "generator": {
        "date": "2026-05-28T06:45:41.567+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.6.0"
        }
      },
      "id": "WID-SEC-W-2026-1686",
      "initial_release_date": "2026-05-26T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2026-05-26T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2026-05-27T22:00:00.000+00:00",
          "number": "2",
          "summary": "Referenz(en) aufgenommen: EUVD-2026-32211, EUVD-2026-32312, EUVD-2026-32275"
        }
      ],
      "status": "final",
      "version": "2"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Debian Linux",
            "product": {
              "name": "Debian Linux",
              "product_id": "2951",
              "product_identification_helper": {
                "cpe": "cpe:/o:debian:debian_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Debian"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c4.24.3",
                "product": {
                  "name": "Open Source Samba \u003c4.24.3",
                  "product_id": "T054749"
                }
              },
              {
                "category": "product_version",
                "name": "4.24.3",
                "product": {
                  "name": "Open Source Samba 4.24.3",
                  "product_id": "T054749-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:samba:samba:4.24.3"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c4.23.8",
                "product": {
                  "name": "Open Source Samba \u003c4.23.8",
                  "product_id": "T054750"
                }
              },
              {
                "category": "product_version",
                "name": "4.23.8",
                "product": {
                  "name": "Open Source Samba 4.23.8",
                  "product_id": "T054750-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:samba:samba:4.23.8"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c4.22.10",
                "product": {
                  "name": "Open Source Samba \u003c4.22.10",
                  "product_id": "T054751"
                }
              },
              {
                "category": "product_version",
                "name": "4.22.10",
                "product": {
                  "name": "Open Source Samba 4.22.10",
                  "product_id": "T054751-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:samba:samba:4.22.10"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Samba"
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "SUSE Linux",
            "product": {
              "name": "SUSE Linux",
              "product_id": "T002207",
              "product_identification_helper": {
                "cpe": "cpe:/o:suse:suse_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Ubuntu Linux",
            "product": {
              "name": "Ubuntu Linux",
              "product_id": "T000126",
              "product_identification_helper": {
                "cpe": "cpe:/o:canonical:ubuntu_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Ubuntu"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-1933",
      "product_status": {
        "known_affected": [
          "T054750",
          "2951",
          "T002207",
          "T000126",
          "T054749",
          "T054751"
        ]
      },
      "release_date": "2026-05-26T22:00:00.000+00:00",
      "title": "CVE-2026-1933"
    },
    {
      "cve": "CVE-2026-2340",
      "product_status": {
        "known_affected": [
          "T054750",
          "2951",
          "T002207",
          "T000126",
          "T054749",
          "T054751"
        ]
      },
      "release_date": "2026-05-26T22:00:00.000+00:00",
      "title": "CVE-2026-2340"
    },
    {
      "cve": "CVE-2026-3012",
      "product_status": {
        "known_affected": [
          "T054750",
          "2951",
          "T002207",
          "T000126",
          "T054749",
          "T054751"
        ]
      },
      "release_date": "2026-05-26T22:00:00.000+00:00",
      "title": "CVE-2026-3012"
    },
    {
      "cve": "CVE-2026-3238",
      "product_status": {
        "known_affected": [
          "T054750",
          "2951",
          "T002207",
          "T000126",
          "T054749",
          "T054751"
        ]
      },
      "release_date": "2026-05-26T22:00:00.000+00:00",
      "title": "CVE-2026-3238"
    },
    {
      "cve": "CVE-2026-4408",
      "product_status": {
        "known_affected": [
          "T054750",
          "2951",
          "T002207",
          "T000126",
          "T054749",
          "T054751"
        ]
      },
      "release_date": "2026-05-26T22:00:00.000+00:00",
      "title": "CVE-2026-4408"
    },
    {
      "cve": "CVE-2026-4480",
      "product_status": {
        "known_affected": [
          "T054750",
          "2951",
          "T002207",
          "T000126",
          "T054749",
          "T054751"
        ]
      },
      "release_date": "2026-05-26T22:00:00.000+00:00",
      "title": "CVE-2026-4480"
    }
  ]
}

CVE-2026-1933 (GCVE-0-2026-1933)

Vulnerability from cvelistv5 – Published: 2026-05-27 12:28 – Updated: 2026-05-27 14:41

Title

Samba: missing access check on reparse point operations

Summary

A flaw was found in Samba’s handling of NTFS-style reparse points on shares configured with read only = yes. Due to missing SMB-layer access checks, authenticated users with underlying filesystem write permissions may create or delete reparse point metadata through SMB operations even on read-only exports. This could allow modification of SMB-visible file behavior, including converting files into symbolic links or other reparse point types.

Severity

7.1 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

CWE

CWE-284 - Improper Access Control

Assigner

redhat

References

3 references

URL	Tags
https://access.redhat.com/security/cve/CVE-2026-1933	vdb-entryx_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2447317	issue-trackingx_refsource_REDHAT
https://bugzilla.samba.org/show_bug.cgi?id=15992

Impacted products

7 products

Vendor	Product	Version
Red Hat	Red Hat Enterprise Linux 10	cpe:/o:redhat:enterprise_linux:10
Red Hat	Red Hat Enterprise Linux 6	cpe:/o:redhat:enterprise_linux:6
Red Hat	Red Hat Enterprise Linux 6	cpe:/o:redhat:enterprise_linux:6
Red Hat	Red Hat Enterprise Linux 7	cpe:/o:redhat:enterprise_linux:7
Red Hat	Red Hat Enterprise Linux 8	cpe:/o:redhat:enterprise_linux:8
Red Hat	Red Hat Enterprise Linux 9	cpe:/o:redhat:enterprise_linux:9
Red Hat	Red Hat OpenShift Container Platform 4	cpe:/a:redhat:openshift:4

Date Public

2026-05-27 12:08

Credits

Red Hat would like to thank Asim Viladi Oglu Manizada for reporting this issue.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-1933",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-27T14:40:45.546157Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-27T14:41:01.347Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:10"
          ],
          "defaultStatus": "affected",
          "packageName": "samba",
          "product": "Red Hat Enterprise Linux 10",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:6"
          ],
          "defaultStatus": "unknown",
          "packageName": "samba",
          "product": "Red Hat Enterprise Linux 6",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:6"
          ],
          "defaultStatus": "unknown",
          "packageName": "samba4",
          "product": "Red Hat Enterprise Linux 6",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:7"
          ],
          "defaultStatus": "affected",
          "packageName": "samba",
          "product": "Red Hat Enterprise Linux 7",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:8"
          ],
          "defaultStatus": "affected",
          "packageName": "samba",
          "product": "Red Hat Enterprise Linux 8",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:9"
          ],
          "defaultStatus": "affected",
          "packageName": "samba",
          "product": "Red Hat Enterprise Linux 9",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:openshift:4"
          ],
          "defaultStatus": "affected",
          "packageName": "rhcos",
          "product": "Red Hat OpenShift Container Platform 4",
          "vendor": "Red Hat"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Red Hat would like to thank Asim Viladi Oglu Manizada for reporting this issue."
        }
      ],
      "datePublic": "2026-05-27T12:08:33.095Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in Samba\u2019s handling of NTFS-style reparse points on shares configured with read only = yes. Due to missing SMB-layer access checks, authenticated users with underlying filesystem write permissions may create or delete reparse point metadata through SMB operations even on read-only exports. This could allow modification of SMB-visible file behavior, including converting files into symbolic links or other reparse point types."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Important"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-284",
              "description": "Improper Access Control",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-27T13:22:15.937Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2026-1933"
        },
        {
          "name": "RHBZ#2447317",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2447317"
        },
        {
          "url": "https://bugzilla.samba.org/show_bug.cgi?id=15992"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-03-13T08:29:39.852Z",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2026-05-27T12:08:33.095Z",
          "value": "Made public."
        }
      ],
      "title": "Samba: missing access check on reparse point operations",
      "workarounds": [
        {
          "lang": "en",
          "value": "Administrators can mitigate this issue by ensuring users who access a read only = yes Samba share do not have filesystem-level write permission to the exported files.\n\nA server administrator may also monitor and remove unintended \"user.SmbReparse\" xattr (extended attributes) and the associated FILE_ATTRIBUTE_REPARSE_POINT \"user.DosAttrib\" bit metadata if exploitation is suspected."
        }
      ],
      "x_generator": {
        "engine": "cvelib 1.8.0"
      },
      "x_redhatCweChain": "CWE-284: Improper Access Control"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2026-1933",
    "datePublished": "2026-05-27T12:28:44.600Z",
    "dateReserved": "2026-02-04T21:04:39.737Z",
    "dateUpdated": "2026-05-27T14:41:01.347Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-2340 (GCVE-0-2026-2340)

Vulnerability from cvelistv5 – Published: 2026-05-27 12:09 – Updated: 2026-05-27 13:22

Title

Samba: vfs_worm does not block directory modification

Summary

A flaw was found in Samba’s vfs_worm module. The module is intended to provide write-once, read-many (WORM) protections by preventing modification of files after a configurable grace period. Due to insufficient validation during rename operations, an authenticated user with write access to a share could overwrite a protected file by renaming a newly created file over the existing WORM-protected file.

Severity

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CWE

CWE-280 - Improper Handling of Insufficient Permissions or Privileges

Assigner

redhat

References

3 references

URL	Tags
https://access.redhat.com/security/cve/CVE-2026-2340	vdb-entryx_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2447318	issue-trackingx_refsource_REDHAT
https://bugzilla.samba.org/show_bug.cgi?id=15997

Impacted products

7 products

Vendor	Product	Version
Red Hat	Red Hat Enterprise Linux 10	cpe:/o:redhat:enterprise_linux:10
Red Hat	Red Hat Enterprise Linux 6	cpe:/o:redhat:enterprise_linux:6
Red Hat	Red Hat Enterprise Linux 6	cpe:/o:redhat:enterprise_linux:6
Red Hat	Red Hat Enterprise Linux 7	cpe:/o:redhat:enterprise_linux:7
Red Hat	Red Hat Enterprise Linux 8	cpe:/o:redhat:enterprise_linux:8
Red Hat	Red Hat Enterprise Linux 9	cpe:/o:redhat:enterprise_linux:9
Red Hat	Red Hat OpenShift Container Platform 4	cpe:/a:redhat:openshift:4

Date Public

2026-05-27 10:35

Credits

Red Hat would like to thank Pavel Kohout (Aisle Research) for reporting this issue.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:10"
          ],
          "defaultStatus": "affected",
          "packageName": "samba",
          "product": "Red Hat Enterprise Linux 10",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:6"
          ],
          "defaultStatus": "unknown",
          "packageName": "samba",
          "product": "Red Hat Enterprise Linux 6",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:6"
          ],
          "defaultStatus": "unknown",
          "packageName": "samba4",
          "product": "Red Hat Enterprise Linux 6",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:7"
          ],
          "defaultStatus": "affected",
          "packageName": "samba",
          "product": "Red Hat Enterprise Linux 7",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:8"
          ],
          "defaultStatus": "affected",
          "packageName": "samba",
          "product": "Red Hat Enterprise Linux 8",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:9"
          ],
          "defaultStatus": "affected",
          "packageName": "samba",
          "product": "Red Hat Enterprise Linux 9",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:openshift:4"
          ],
          "defaultStatus": "affected",
          "packageName": "rhcos",
          "product": "Red Hat OpenShift Container Platform 4",
          "vendor": "Red Hat"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Red Hat would like to thank Pavel Kohout (Aisle Research) for reporting this issue."
        }
      ],
      "datePublic": "2026-05-27T10:35:47.805Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in Samba\u2019s vfs_worm module. The module is intended to provide write-once, read-many (WORM) protections by preventing modification of files after a configurable grace period. Due to insufficient validation during rename operations, an authenticated user with write access to a share could overwrite a protected file by renaming a newly created file over the existing WORM-protected file."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Moderate"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-280",
              "description": "Improper Handling of Insufficient Permissions or Privileges",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-27T13:22:15.957Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2026-2340"
        },
        {
          "name": "RHBZ#2447318",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2447318"
        },
        {
          "url": "https://bugzilla.samba.org/show_bug.cgi?id=15997"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-03-13T12:55:04.465Z",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2026-05-27T10:35:47.805Z",
          "value": "Made public."
        }
      ],
      "title": "Samba: vfs_worm does not block directory modification",
      "workarounds": [
        {
          "lang": "en",
          "value": "Administrators can mitigate this issue by:\n\nSetting read-only permissions on protected files at the underlying filesystem level will prevent modifications.\n\nConfiguring ```worm:grace_period = 0``` (zero or less) in smb.conf will eliminate the writable grace period (will eliminate the window in which the rename can happen), understanding that this may impact workflows requiring multi-step file creation."
        }
      ],
      "x_generator": {
        "engine": "cvelib 1.8.0"
      },
      "x_redhatCweChain": "CWE-280: Improper Handling of Insufficient Permissions or Privileges"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2026-2340",
    "datePublished": "2026-05-27T12:09:32.601Z",
    "dateReserved": "2026-02-11T12:29:16.340Z",
    "dateUpdated": "2026-05-27T13:22:15.957Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-3012 (GCVE-0-2026-3012)

Vulnerability from cvelistv5 – Published: 2026-05-27 10:02 – Updated: 2026-05-28 03:55

Title

Samba: group policy certificate enrollment uses http:// without validation

Summary

A flaw was found in Samba’s certificate auto-enrollment Group Policy handling. When certificate auto-enrollment is enabled, Samba may retrieve a CA certificate over an unencrypted HTTP connection and install it into the local trust store without proper verification. An attacker with the ability to intercept or redirect network traffic could exploit this behavior to supply a malicious certificate authority certificate, potentially allowing interception or spoofing of trusted communications.

Severity

8 (High)


                        
                          CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

CWE

CWE-345 - Insufficient Verification of Data Authenticity

Assigner

redhat

References

3 references

URL	Tags
https://access.redhat.com/security/cve/CVE-2026-3012	vdb-entryx_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2447319	issue-trackingx_refsource_REDHAT
https://bugzilla.samba.org/show_bug.cgi?id=16003

Impacted products

7 products

Vendor	Product	Version
Red Hat	Red Hat Enterprise Linux 10	cpe:/o:redhat:enterprise_linux:10
Red Hat	Red Hat Enterprise Linux 6	cpe:/o:redhat:enterprise_linux:6
Red Hat	Red Hat Enterprise Linux 6	cpe:/o:redhat:enterprise_linux:6
Red Hat	Red Hat Enterprise Linux 7	cpe:/o:redhat:enterprise_linux:7
Red Hat	Red Hat Enterprise Linux 8	cpe:/o:redhat:enterprise_linux:8
Red Hat	Red Hat Enterprise Linux 9	cpe:/o:redhat:enterprise_linux:9
Red Hat	Red Hat OpenShift Container Platform 4	cpe:/a:redhat:openshift:4

Date Public

2026-05-27 09:17

Credits

Red Hat would like to thank Arad Inbar (DREAM Security Research Team), Ben Grinberg (DREAM Security Research Team), Michalis Vasileiadis, and Nir Somech (DREAM Security Research Team) for reporting this issue.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-3012",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-27T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-28T03:55:25.474Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:10"
          ],
          "defaultStatus": "affected",
          "packageName": "samba",
          "product": "Red Hat Enterprise Linux 10",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:6"
          ],
          "defaultStatus": "unknown",
          "packageName": "samba",
          "product": "Red Hat Enterprise Linux 6",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:6"
          ],
          "defaultStatus": "unknown",
          "packageName": "samba4",
          "product": "Red Hat Enterprise Linux 6",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:7"
          ],
          "defaultStatus": "affected",
          "packageName": "samba",
          "product": "Red Hat Enterprise Linux 7",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:8"
          ],
          "defaultStatus": "affected",
          "packageName": "samba",
          "product": "Red Hat Enterprise Linux 8",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:9"
          ],
          "defaultStatus": "affected",
          "packageName": "samba",
          "product": "Red Hat Enterprise Linux 9",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:openshift:4"
          ],
          "defaultStatus": "affected",
          "packageName": "rhcos",
          "product": "Red Hat OpenShift Container Platform 4",
          "vendor": "Red Hat"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Red Hat would like to thank Arad Inbar (DREAM Security Research Team), Ben Grinberg (DREAM Security Research Team), Michalis Vasileiadis, and Nir Somech (DREAM Security Research Team) for reporting this issue."
        }
      ],
      "datePublic": "2026-05-27T09:17:49.862Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in Samba\u2019s certificate auto-enrollment Group Policy handling. When certificate auto-enrollment is enabled, Samba may retrieve a CA certificate over an unencrypted HTTP connection and install it into the local trust store without proper verification. An attacker with the ability to intercept or redirect network traffic could exploit this behavior to supply a malicious certificate authority certificate, potentially allowing interception or spoofing of trusted communications."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Important"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-345",
              "description": "Insufficient Verification of Data Authenticity",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-27T13:15:06.993Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2026-3012"
        },
        {
          "name": "RHBZ#2447319",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2447319"
        },
        {
          "url": "https://bugzilla.samba.org/show_bug.cgi?id=16003"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-03-13T12:55:02.623Z",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2026-05-27T09:17:49.862Z",
          "value": "Made public."
        }
      ],
      "title": "Samba: group policy certificate enrollment uses http:// without validation",
      "workarounds": [
        {
          "lang": "en",
          "value": "Systems are not affected unless Samba Group Policy processing and certificate auto-enrollment are explicitly enabled.\n\nAdministrators can reduce exposure by:\n\nAvoiding unnecessary use of certificate auto-enrollment.\nEnsuring your \"smb.conf\" does not contain a line like ```apply group policies = yes```. If , group policy is not be enabled, the vulnerable code will not run.\n\nIntercepting the HTTP request requires some control over the local network or other devices to intercept or redirect traffic. Some network administrators might assess this as a low risk on their\nnetworks."
        }
      ],
      "x_generator": {
        "engine": "cvelib 1.8.0"
      },
      "x_redhatCweChain": "CWE-345: Insufficient Verification of Data Authenticity"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2026-3012",
    "datePublished": "2026-05-27T10:02:21.767Z",
    "dateReserved": "2026-02-23T07:08:58.479Z",
    "dateUpdated": "2026-05-28T03:55:25.474Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-4408 (GCVE-0-2026-4408)

Vulnerability from cvelistv5 – Published: 2026-05-28 07:25 – Updated: 2026-05-28 07:25

Title

Samba: remote code execution in samr

Summary

A flaw was found in Samba. A remote attacker can exploit a misconfiguration in Samba file servers and classic domain controllers that use the "check password script" feature. If this script is configured with the %u substitution character, the client-controlled username is passed without proper escaping of shell meta-characters. This vulnerability allows an attacker to achieve remote command execution on the affected system. This issue primarily affects non-standard configurations where the "check password script" is used with %u and the samba-dcerpcd service is started as a system service.

Severity

9 (Critical)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Assigner

redhat

References

3 references

URL	Tags
https://access.redhat.com/security/cve/CVE-2026-4408	vdb-entryx_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2479762	issue-trackingx_refsource_REDHAT
https://bugzilla.samba.org/show_bug.cgi?id=16034

Impacted products

7 products

Vendor	Product	Version
Red Hat	Red Hat Enterprise Linux 10	cpe:/o:redhat:enterprise_linux:10
Red Hat	Red Hat Enterprise Linux 6	cpe:/o:redhat:enterprise_linux:6
Red Hat	Red Hat Enterprise Linux 6	cpe:/o:redhat:enterprise_linux:6
Red Hat	Red Hat Enterprise Linux 7	cpe:/o:redhat:enterprise_linux:7
Red Hat	Red Hat Enterprise Linux 8	cpe:/o:redhat:enterprise_linux:8
Red Hat	Red Hat Enterprise Linux 9	cpe:/o:redhat:enterprise_linux:9
Red Hat	Red Hat OpenShift Container Platform 4	cpe:/a:redhat:openshift:4

Date Public

2026-05-26 00:00

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:10"
          ],
          "defaultStatus": "affected",
          "packageName": "samba",
          "product": "Red Hat Enterprise Linux 10",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:6"
          ],
          "defaultStatus": "affected",
          "packageName": "samba",
          "product": "Red Hat Enterprise Linux 6",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:6"
          ],
          "defaultStatus": "affected",
          "packageName": "samba4",
          "product": "Red Hat Enterprise Linux 6",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:7"
          ],
          "defaultStatus": "affected",
          "packageName": "samba",
          "product": "Red Hat Enterprise Linux 7",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:8"
          ],
          "defaultStatus": "affected",
          "packageName": "samba",
          "product": "Red Hat Enterprise Linux 8",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:9"
          ],
          "defaultStatus": "affected",
          "packageName": "samba",
          "product": "Red Hat Enterprise Linux 9",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:openshift:4"
          ],
          "defaultStatus": "affected",
          "packageName": "rhcos",
          "product": "Red Hat OpenShift Container Platform 4",
          "vendor": "Red Hat"
        }
      ],
      "datePublic": "2026-05-26T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in Samba. A remote attacker can exploit a misconfiguration in Samba file servers and classic domain controllers that use the \"check password script\" feature. If this script is configured with the %u substitution character, the client-controlled username is passed without proper escaping of shell meta-characters. This vulnerability allows an attacker to achieve remote command execution on the affected system. This issue primarily affects non-standard configurations where the \"check password script\" is used with %u and the samba-dcerpcd service is started as a system service."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Important"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-78",
              "description": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-28T07:25:27.169Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2026-4408"
        },
        {
          "name": "RHBZ#2479762",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2479762"
        },
        {
          "url": "https://bugzilla.samba.org/show_bug.cgi?id=16034"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-05-19T09:24:56.961Z",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2026-05-26T00:00:00.000Z",
          "value": "Made public."
        }
      ],
      "title": "Samba: remote code execution in samr",
      "workarounds": [
        {
          "lang": "en",
          "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."
        }
      ],
      "x_generator": {
        "engine": "cvelib 1.8.0"
      },
      "x_redhatCweChain": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2026-4408",
    "datePublished": "2026-05-28T07:25:27.169Z",
    "dateReserved": "2026-03-18T21:40:14.142Z",
    "dateUpdated": "2026-05-28T07:25:27.169Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-4480 (GCVE-0-2026-4480)

Vulnerability from cvelistv5 – Published: 2026-05-26 13:56 – Updated: 2026-05-27 12:56

Title

Samba: samba: remote code execution in printing subsystem via unescaped job description

Summary

A flaw was found in the Samba printing subsystem. Samba passes the client-controlled job description string to the command configured with the "print command" setting via the "%J" substitution character without escaping shell meta characters. A remote attacker could exploit this vulnerability by sending a specially crafted print job description that contains unescaped shell characters. This could lead to remote code execution on the affected system.

Severity

8.5 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Assigner

redhat

References

3 references

URL	Tags
https://access.redhat.com/security/cve/CVE-2026-4480	vdb-entryx_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2452232	issue-trackingx_refsource_REDHAT
https://bugzilla.samba.org/show_bug.cgi?id=16033

Impacted products

7 products

Vendor	Product	Version
Red Hat	Red Hat Enterprise Linux 10	cpe:/o:redhat:enterprise_linux:10
Red Hat	Red Hat Enterprise Linux 6	cpe:/o:redhat:enterprise_linux:6
Red Hat	Red Hat Enterprise Linux 6	cpe:/o:redhat:enterprise_linux:6
Red Hat	Red Hat Enterprise Linux 7	cpe:/o:redhat:enterprise_linux:7
Red Hat	Red Hat Enterprise Linux 8	cpe:/o:redhat:enterprise_linux:8
Red Hat	Red Hat Enterprise Linux 9	cpe:/o:redhat:enterprise_linux:9
Red Hat	Red Hat OpenShift Container Platform 4	cpe:/a:redhat:openshift:4

Date Public

2026-05-26 13:43

Credits

Red Hat would like to thank Arjun Basnet (Securin Labs), John Walker (ZeroPath), and Ron Ben Yizhak (SafeBreach) for reporting this issue.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-4480",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-26T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-27T03:55:42.950Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:10"
          ],
          "defaultStatus": "affected",
          "packageName": "samba",
          "product": "Red Hat Enterprise Linux 10",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:6"
          ],
          "defaultStatus": "unknown",
          "packageName": "samba",
          "product": "Red Hat Enterprise Linux 6",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:6"
          ],
          "defaultStatus": "unknown",
          "packageName": "samba4",
          "product": "Red Hat Enterprise Linux 6",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:7"
          ],
          "defaultStatus": "affected",
          "packageName": "samba",
          "product": "Red Hat Enterprise Linux 7",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:8"
          ],
          "defaultStatus": "affected",
          "packageName": "samba",
          "product": "Red Hat Enterprise Linux 8",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:9"
          ],
          "defaultStatus": "affected",
          "packageName": "samba",
          "product": "Red Hat Enterprise Linux 9",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:openshift:4"
          ],
          "defaultStatus": "affected",
          "packageName": "rhcos",
          "product": "Red Hat OpenShift Container Platform 4",
          "vendor": "Red Hat"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Red Hat would like to thank Arjun Basnet (Securin Labs), John Walker (ZeroPath), and Ron Ben Yizhak (SafeBreach) for reporting this issue."
        }
      ],
      "datePublic": "2026-05-26T13:43:46.237Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in the Samba printing subsystem. Samba passes the client-controlled job description string to the command configured with the \"print command\" setting via the \"%J\"\nsubstitution character without escaping shell meta characters. A remote attacker could exploit this vulnerability by sending a specially crafted print job description that contains unescaped shell characters. This could lead to remote code execution on the affected system."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Important"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-78",
              "description": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-27T12:56:00.952Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2026-4480"
        },
        {
          "name": "RHBZ#2452232",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2452232"
        },
        {
          "url": "https://bugzilla.samba.org/show_bug.cgi?id=16033"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-03-27T13:35:42.879Z",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2026-05-26T13:43:46.237Z",
          "value": "Made public."
        }
      ],
      "title": "Samba: samba: remote code execution in printing subsystem via unescaped job description",
      "workarounds": [
        {
          "lang": "en",
          "value": "Remove ```\"%J\"``` from the \"print command\" in ```smb.conf``` entry."
        }
      ],
      "x_generator": {
        "engine": "cvelib 1.8.0"
      },
      "x_redhatCweChain": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2026-4480",
    "datePublished": "2026-05-26T13:56:32.355Z",
    "dateReserved": "2026-03-19T21:17:35.193Z",
    "dateUpdated": "2026-05-27T12:56:00.952Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

WID-SEC-W-2026-1686

CVE-2026-1933 (GCVE-0-2026-1933)

CVE-2026-2340 (GCVE-0-2026-2340)

CVE-2026-3012 (GCVE-0-2026-3012)

CVE-2026-4408 (GCVE-0-2026-4408)

CVE-2026-4480 (GCVE-0-2026-4480)

Tags

Sightings

Nomenclature