cbcvebase.
CVE-2010-0926
published 2010-03-10

CVE-2010-0926: The default configuration of smbd in Samba before 3.3.11, 3.4.x before 3.4.6, and 3.5.x before 3.5.0rc3, when a writable share exists, allows remote…

PriorityP338low3.5CVSS 2.0
AVNACMAuSCPINAN
EXPLOIT
EPSS
30.53%
98.0th percentile
The default configuration of smbd in Samba before 3.3.11, 3.4.x before 3.4.6, and 3.5.x before 3.5.0rc3, when a writable share exists, allows remote authenticated users to leverage a directory traversal vulnerability, and access arbitrary files, by using the symlink command in smbclient to create a symlink containing .. (dot dot) sequences, related to the combination of the unix extensions and wide links options.

Affected

33 ranges· showing 25
VendorProductVersion rangeFixed in
applemac_os_x
applemac_os_x
applemac_os_x
applemac_os_x
applemac_os_x
applemac_os_x_server
applemac_os_x_server
applemac_os_x_server
applemac_os_x_server
applemac_os_x_server
debiansamba< samba 2:3.4.6~dfsg-1 (bookworm)samba 2:3.4.6~dfsg-1 (bookworm)
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba

Detection & IOCsextracted from sources · hover to see the quote

commandsymlink <oldname> <newname> (containing .. sequences via smbclient)
commandself.simple.client.symlink(datastore['SMBTARGET'], "../" * 10)
pathsamba-3.4.5/source3/client/client.c
  • Detect smbclient UNIX extension symlink creation requests over SMB that contain traversal sequences ('..') in the symlink target — this is the core exploit primitive for CVE-2010-0926.
  • Monitor for SMB UNIX extension symlink operations (Trans2 UNIX_EXTENSIONS sub-commands) where the link target resolves outside the share root — indicative of wide-link traversal exploitation.
  • Alert on guest or low-privilege SMB sessions that issue symlink creation commands followed by directory listing or file read operations — exploitation is possible via guest-accessible writable shares.
  • For the race-condition variant (CVE-2010-0926 overlap with Samba 4.5.2), detect rapid rename operations on share path components interleaved with file open requests — a symlink is swapped in just before open() to escape the share boundary.
  • On the server side, audit smbd for lstat() calls on path components followed by open() where an intermediate component has changed type to S_IFLNK between the lstat and open — indicates a TOCTOU symlink race.
  • ·The vulnerability is triggered only when BOTH 'unix extensions' and 'wide links' are enabled simultaneously — this was the Samba default before the fix. Disabling either option mitigates the issue.
  • ·The Samba team's official mitigation is to set 'wide links = no' in the [global] section of smb.conf. Alternatively, setting 'unix extensions = no' prevents clients from creating wide symlinks.
  • ·Exploitation requires authenticated access to a writable share; however, guest accounts with write access to a share are sufficient — treat guest-writable shares as high-risk in unpatched environments.
  • ·Apple Mac OS X SMB File Server (10.5.8 and 10.6 before 10.6.4) enables wide links by default and is independently vulnerable to the same class of attack.
  • ·Affected Samba versions: before 3.3.11, 3.4.x before 3.4.6, and 3.5.x before 3.5.0rc3. Debian fix version is 2:3.4.6~dfsg-1.

CVSS provenance

nvdv2.03.5LOWAV:N/AC:M/Au:S/C:P/I:N/A:N
osv3.5LOW
vendor_debian3.5LOW
vendor_redhat3.5LOW
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.