CVE-2017-14746
published 2017-11-27CVE-2017-14746: Use-after-free vulnerability in Samba 4.x before 4.7.3 allows remote attackers to execute arbitrary code via a crafted SMB1 request.
PriorityP262critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
9.88%
95.0th percentile
Use-after-free vulnerability in Samba 4.x before 4.7.3 allows remote attackers to execute arbitrary code via a crafted SMB1 request.
Affected
23 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | samba | < samba 2:4.7.1+dfsg-2 (bookworm) | samba 2:4.7.1+dfsg-2 (bookworm) |
| redhat | enterprise_linux_desktop | — | — |
| redhat | enterprise_linux_desktop | — | — |
| redhat | enterprise_linux_server | — | — |
| redhat | enterprise_linux_server | — | — |
| redhat | enterprise_linux_workstation | — | — |
| redhat | enterprise_linux_workstation | — | — |
| samba | samba | >= 0 < 2:4.7.1+dfsg-2 | 2:4.7.1+dfsg-2 |
| samba | samba | >= 0 < 2:4.7.1+dfsg-2 | 2:4.7.1+dfsg-2 |
| samba | samba | >= 0 < 2:4.7.1+dfsg-2 | 2:4.7.1+dfsg-2 |
| samba | samba | >= 0 < 2:4.7.1+dfsg-2 | 2:4.7.1+dfsg-2 |
| samba | samba | >= 0 < 2:4.3.11+dfsg-0ubuntu0.14.04.13 | 2:4.3.11+dfsg-0ubuntu0.14.04.13 |
| samba | samba | >= 0 < 2:4.3.11+dfsg-0ubuntu0.16.04.12 | 2:4.3.11+dfsg-0ubuntu0.16.04.12 |
| samba | samba | >= 4.0.0 < 4.5.0 | 4.5.0 |
| samba | samba | >= 4.5.0 < 4.5.15 | 4.5.15 |
| samba | samba | >= 4.6.0 < 4.6.11 | 4.6.11 |
| samba | samba | >= 4.7.0 < 4.7.3 | 4.7.3 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect crafted SMB1 requests targeting the use-after-free vulnerability; blocking or alerting on SMB1 protocol usage is the primary detection/mitigation vector ↗
- →Monitor for SMB1 (SMB_COM_WRITE and related commands) traffic to Samba servers; the attack vector is an unauthenticated malicious SMB1 request used to control heap memory via a deallocated heap pointer ↗
- →The exploit chain combines CVE-2017-14746 (use-after-free via SMB1) with CVE-2017-12163 (heap memory leak via SMB_COM_WRITE with oversized numtowrite field); detect SMB_COM_WRITE requests where the declared write length exceeds the actual data carried in the request ↗
- ·Mitigation: disable SMB1 by setting 'server min protocol = SMB2' in the [global] section of smb.conf and restarting smbd; note this may break older clients ↗
- ·Affected versions: Samba 4.x before 4.7.3; Red Hat Enterprise Linux 5 and 6 packages listed as Not Affected ↗
- ·Exploitation research targeted samba_4.6.7+dfsg-1ubuntu2_amd64 on Ubuntu 17.10; Ubuntu compile-time hardening flags (-DFORTIFY_SOURCE=2, -z norelro, -PIE) were noted as obstacles to reliable exploitation ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Samba vulnerabilities
vendor_ubuntu·2017-11-21·CVSS 9.8
CVE-2017-14746 [CRITICAL] Samba vulnerabilities
Title: Samba vulnerabilities
Summary: Several security issues were fixed in Samba.
Yihan Lian and Zhibin Hu discovered that Samba incorrectly handled memory
when processing certain SMB1 requests. A remote attacker could possibly use
this issue to execute arbitrary code. (CVE-2017-14746)
Volker Lendecke discovered that Samba incorrectly cleared memory when
returning data to a client. A remote attacker could possibly use this issue
to obtain sensitive information. (CVE-2017-15275)
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
samba: Use-after-free in processing SMB1 requests
vendor_redhat·2017-11-21·CVSS 9.8
CVE-2017-14746 [CRITICAL] samba: Use-after-free in processing SMB1 requests
samba: Use-after-free in processing SMB1 requests
Use-after-free vulnerability in Samba 4.x before 4.7.3 allows remote attackers to execute arbitrary code via a crafted SMB1 request.
A use-after-free flaw was found in the way samba servers handled certain SMB1 requests. An unauthenticated attacker could send specially-crafted SMB1 requests to cause the server to crash or execute arbitrary code.
Mitigation: Prevent SMB1 access to the server by setting the parameter:
"server min protocol = SMB2"
to the [global] section of your smb.conf and restart smbd. This prevents and SMB1 access to the server. Note this could cause older clients to be unable to connect to the server.
Package: samba (Red Hat Enterprise Linux 5) - Not affected
Package: samba (Red Hat Enterprise Linux 6) - Not affected
Debian
CVE-2017-14746: samba - Use-after-free vulnerability in Samba 4.x before 4.7.3 allows remote attackers t...
vendor_debian·2017·CVSS 9.8
CVE-2017-14746 [CRITICAL] CVE-2017-14746: samba - Use-after-free vulnerability in Samba 4.x before 4.7.3 allows remote attackers t...
Use-after-free vulnerability in Samba 4.x before 4.7.3 allows remote attackers to execute arbitrary code via a crafted SMB1 request.
Scope: local
bookworm: resolved (fixed in 2:4.7.1+dfsg-2)
bullseye: resolved (fixed in 2:4.7.1+dfsg-2)
forky: resolved (fixed in 2:4.7.1+dfsg-2)
sid: resolved (fixed in 2:4.7.1+dfsg-2)
trixie: resolved (fixed in 2:4.7.1+dfsg-2)
GHSA
GHSA-57pg-7qmc-wmf2: Use-after-free vulnerability in Samba 4
ghsa_unreviewed·2022-05-14
CVE-2017-14746 [CRITICAL] CWE-416 GHSA-57pg-7qmc-wmf2: Use-after-free vulnerability in Samba 4
Use-after-free vulnerability in Samba 4.x before 4.7.3 allows remote attackers to execute arbitrary code via a crafted SMB1 request.
OSV
CVE-2017-14746: Use-after-free vulnerability in Samba 4
osv·2017-11-27·CVSS 9.8
CVE-2017-14746 [CRITICAL] CVE-2017-14746: Use-after-free vulnerability in Samba 4
Use-after-free vulnerability in Samba 4.x before 4.7.3 allows remote attackers to execute arbitrary code via a crafted SMB1 request.
OSV
samba vulnerabilities
osv·2017-11-21·CVSS 9.8
CVE-2017-14746 [CRITICAL] samba vulnerabilities
samba vulnerabilities
Yihan Lian and Zhibin Hu discovered that Samba incorrectly handled memory
when processing certain SMB1 requests. A remote attacker could possibly use
this issue to execute arbitrary code. (CVE-2017-14746)
Volker Lendecke discovered that Samba incorrectly cleared memory when
returning data to a client. A remote attacker could possibly use this issue
to obtain sensitive information. (CVE-2017-15275)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2017-14746 CVE-2017-15275 samba: various flaws [fedora-all]
bugzilla·2017-11-21·CVSS 9.8
CVE-2017-14746 [CRITICAL] CVE-2017-14746 CVE-2017-15275 samba: various flaws [fedora-all]
CVE-2017-14746 CVE-2017-15275 samba: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. Wh
Bugzilla
CVE-2017-14746 samba: Use-after-free in processing SMB1 requests
bugzilla·2017-11-10·CVSS 9.8
CVE-2017-14746 [CRITICAL] CVE-2017-14746 samba: Use-after-free in processing SMB1 requests
CVE-2017-14746 samba: Use-after-free in processing SMB1 requests
As per upstream advisory:
All versions of Samba from 4.0.0 onwards are vulnerable to a use after free vulnerability, where a malicious SMB1 request can be used to control the contents of heap memory via a deallocated heap pointer. It is possible this may be used to compromise the SMB server.
Discussion:
Mitigation:
Prevent SMB1 access to the server by setting the parameter:
"server min protocol = SMB2"
to the [global] section of your smb.conf and restart smbd. This prevents and SMB1 access to the server. Note this could cause older clients to be unable to connect to the server.
---
Acknowledgements:
Name: the Samba project
Upstream: Yihan Lian (Qihoo 360 Gear Team), Zhibin Hu (Qihoo 360 Gear Team)
---
External Ref
Crowdstrike
Trying to Dance the Samba: An Exercise in Weaponizing Vulnerabilities
blogs_crowdstrike·CVSS 7.5
CVE-2026-20929 [HIGH] Trying to Dance the Samba: An Exercise in Weaponizing Vulnerabilities
How CrowdStrike is Accelerating Exposure Evaluation as Adversaries Gain Speed Apr 06, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How CrowdStrike is Accelerating Exposure Evaluation as Adversaries Gain Speed Apr 06, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019
Helping Non-Security Stakeholders Understand AT
Crowdstrike
Trying to Dance the Samba: An Exercise in Weaponizing Vulnerabilities
blogs_crowdstrike·CVSS 7.5
CVE-2026-20929 [HIGH] Trying to Dance the Samba: An Exercise in Weaponizing Vulnerabilities
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019
Helping Non-Security Stakeholders Understand ATT&CK in 10 Minutes or Less [VI
http://www.securityfocus.com/bid/101907http://www.securitytracker.com/id/1039856http://www.ubuntu.com/usn/USN-3486-1https://access.redhat.com/errata/RHSA-2017:3260https://access.redhat.com/errata/RHSA-2017:3261https://access.redhat.com/errata/RHSA-2017:3278https://security.gentoo.org/glsa/201805-07https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03817en_ushttps://www.debian.org/security/2017/dsa-4043https://www.samba.org/samba/security/CVE-2017-14746.htmlhttps://www.synology.com/support/security/Synology_SA_17_72_Sambahttp://www.securityfocus.com/bid/101907http://www.securitytracker.com/id/1039856http://www.ubuntu.com/usn/USN-3486-1https://access.redhat.com/errata/RHSA-2017:3260https://access.redhat.com/errata/RHSA-2017:3261https://access.redhat.com/errata/RHSA-2017:3278https://security.gentoo.org/glsa/201805-07https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03817en_ushttps://www.debian.org/security/2017/dsa-4043https://www.samba.org/samba/security/CVE-2017-14746.htmlhttps://www.synology.com/support/security/Synology_SA_17_72_Samba
2017-11-27
Published