CVE-2026-4408
published 2026-05-28CVE-2026-4408: A flaw was found in Samba. A remote attacker can exploit a misconfiguration in Samba file servers and classic domain controllers that use the "check password…
PriorityP268critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
2.50%
82.7th percentile
A flaw was found in Samba. A remote attacker can exploit a misconfiguration in Samba file servers and classic domain controllers that use the "check password script" feature. If this script is configured with the %u substitution character, the client-controlled username is passed without proper escaping of shell meta-characters. This vulnerability allows an attacker to achieve remote command execution on the affected system. This issue primarily affects non-standard configurations where the "check password script" is used with %u and the samba-dcerpcd service is started as a system service.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| redhat | enterprise_linux | — | — |
| redhat | enterprise_linux | — | — |
| redhat | enterprise_linux | — | — |
| redhat | openshift_container_platform | — | — |
| samba | samba | — | — |
| samba | samba | >= 4.1.0 < 4.21.0 | 4.21.0 |
| ubuntu | samba | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation attempts via shell meta-character injection in the Samba SAMR RPC username field — monitor for usernames containing shell meta-characters (e.g., `;`, `|`, `$()`, backticks) in SamValidatePasswordChange or SamValidatePasswordReset RPC calls over NCACN_IP_TCP ↗
- →Monitor for unexpected child processes spawned by samba-dcerpcd or smbd, particularly shell processes (sh, bash, etc.) that are children of samba-dcerpcd when it is running as a system service ↗
- →Alert on SAMR DCE/RPC traffic (SamValidatePasswordChange / SamValidatePasswordReset) arriving over NCACN_IP_TCP (TCP port 445 or dynamic RPC ports) from untrusted/external sources targeting Samba file servers or classic domain controllers ↗
- →Flag smb.conf configurations where 'check password script' contains '%u' without single-quote escaping (i.e., not '%u') as a high-risk misconfiguration indicator for this CVE ↗
- →Note: configurations using '%u' (with single quotes directly around %u) reduce but do not eliminate risk — command-line option injection is still possible; treat such configs as partially mitigated, not safe ↗
- ·Only Samba file servers and classic (non-AD) domain controllers are affected; Active Directory Domain Controllers are NOT vulnerable because they do not expand the username via the %u substitution character ↗
- ·Exploitation requires the non-default smb.conf setting 'rpc start on demand helpers = no', which causes samba-dcerpcd to run as a system service; in the default configuration the vulnerable code path is inaccessible ↗
- ·Exploitation additionally requires 'check password script' to be explicitly configured in smb.conf with the %u substitution character — this is a non-standard, non-default configuration ↗
- ·Affected packages span Red Hat Enterprise Linux 6–10 and Red Hat OpenShift Container Platform 4 (rhcos); no mitigation meeting Red Hat Product Security criteria is currently available ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_redhat9.0CRITICAL
vendor_ubuntu8.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Samba vulnerabilities
vendor_ubuntu·2026-05-26·CVSS 8.5
CVE-2026-4480 [HIGH] Samba vulnerabilities
Title: Samba vulnerabilities
Summary: Several security issues were fixed in Samba.
Asim Viladi Oglu Manizada discovered that Samba incorrectly handled access
checks on reparse point operations. An attacker could possibly use this
issue to modify reparse point extended attributes on files that should have
been read-only. This issue only affected Ubuntu 25.10 and Ubuntu 26.04 LTS.
(CVE-2026-1933)
Pavel Kohout discovered that Samba's vfs_worm module did not properly block
file overwrites. An attacker could possibly use this issue to overwrite
files that should have remained immutable. (CVE-2026-2340)
Arad Inbar, Nir Somech, and Ben Grinberg discovered that Samba incorrectly
handled certificate auto-enrolment group policies over HTTP without
verification. A machine-in-the-middle attacker c
Red Hat
samba: Remote Code Execution in SAMR
vendor_redhat·2026-05-26·CVSS 9.0
CVE-2026-4408 [CRITICAL] CWE-78 samba: Remote Code Execution in SAMR
samba: Remote Code Execution in SAMR
A flaw was found in Samba. A remote attacker can exploit a misconfiguration in Samba file servers and classic domain controllers that use the "check password script" feature. If this script is configured with the %u substitution character, the client-controlled username is passed without proper escaping of shell meta-characters. This vulnerability allows an attacker to achieve remote command execution on the affected system. This issue primarily affects non-standard configurations where the "check password script" is used with %u and the samba-dcerpcd service is started as a system service.
Statement: An Important remote code execution flaw exists in Samba file servers and classic domain controllers when configured with a 'check password script' that
GHSA
GHSA-jg8v-92xc-cx65: A flaw was found in Samba
ghsa_unreviewed·2026-05-28
CVE-2026-4408 [CRITICAL] CWE-78 GHSA-jg8v-92xc-cx65: A flaw was found in Samba
A flaw was found in Samba. A remote attacker can exploit a misconfiguration in Samba file servers and classic domain controllers that use the "check password script" feature. If this script is configured with the %u substitution character, the client-controlled username is passed without proper escaping of shell meta-characters. This vulnerability allows an attacker to achieve remote command execution on the affected system. This issue primarily affects non-standard configurations where the "check password script" is used with %u and the samba-dcerpcd service is started as a system service.
No detection rules found.
No public exploits indexed.
https://access.redhat.com/errata/RHSA-2026:22644https://access.redhat.com/errata/RHSA-2026:22963https://access.redhat.com/errata/RHSA-2026:25049https://access.redhat.com/errata/RHSA-2026:25979https://access.redhat.com/errata/RHSA-2026:28053https://access.redhat.com/errata/RHSA-2026:28054https://access.redhat.com/errata/RHSA-2026:28055https://access.redhat.com/errata/RHSA-2026:28056https://access.redhat.com/errata/RHSA-2026:28057https://access.redhat.com/errata/RHSA-2026:28058https://access.redhat.com/errata/RHSA-2026:28132https://access.redhat.com/errata/RHSA-2026:29799https://access.redhat.com/errata/RHSA-2026:29833https://access.redhat.com/security/cve/CVE-2026-4408https://bugzilla.redhat.com/show_bug.cgi?id=2479762https://bugzilla.samba.org/show_bug.cgi?id=16034https://access.redhat.com/errata/RHSA-2026:22644https://access.redhat.com/errata/RHSA-2026:22963https://access.redhat.com/errata/RHSA-2026:25049https://access.redhat.com/errata/RHSA-2026:25979https://access.redhat.com/errata/RHSA-2026:28053https://access.redhat.com/errata/RHSA-2026:28054https://access.redhat.com/errata/RHSA-2026:28055https://access.redhat.com/errata/RHSA-2026:28056https://access.redhat.com/errata/RHSA-2026:28057https://access.redhat.com/errata/RHSA-2026:28058https://access.redhat.com/errata/RHSA-2026:28132https://access.redhat.com/errata/RHSA-2026:29833https://access.redhat.com/security/cve/CVE-2026-4408https://bugzilla.redhat.com/show_bug.cgi?id=2479762https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-4408.json
2026-05-28
Published