cbcvebase.
CVE-2026-4408
published 2026-05-28

CVE-2026-4408: A flaw was found in Samba. A remote attacker can exploit a misconfiguration in Samba file servers and classic domain controllers that use the "check password…

PriorityP268critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
2.50%
82.7th percentile
A flaw was found in Samba. A remote attacker can exploit a misconfiguration in Samba file servers and classic domain controllers that use the "check password script" feature. If this script is configured with the %u substitution character, the client-controlled username is passed without proper escaping of shell meta-characters. This vulnerability allows an attacker to achieve remote command execution on the affected system. This issue primarily affects non-standard configurations where the "check password script" is used with %u and the samba-dcerpcd service is started as a system service.

Affected

7 ranges
VendorProductVersion rangeFixed in
redhatenterprise_linux
redhatenterprise_linux
redhatenterprise_linux
redhatopenshift_container_platform
sambasamba
sambasamba>= 4.1.0 < 4.21.04.21.0
ubuntusamba

Detection & IOCsextracted from sources · hover to see the quote

  • Detect exploitation attempts via shell meta-character injection in the Samba SAMR RPC username field — monitor for usernames containing shell meta-characters (e.g., `;`, `|`, `$()`, backticks) in SamValidatePasswordChange or SamValidatePasswordReset RPC calls over NCACN_IP_TCP
  • Monitor for unexpected child processes spawned by samba-dcerpcd or smbd, particularly shell processes (sh, bash, etc.) that are children of samba-dcerpcd when it is running as a system service
  • Alert on SAMR DCE/RPC traffic (SamValidatePasswordChange / SamValidatePasswordReset) arriving over NCACN_IP_TCP (TCP port 445 or dynamic RPC ports) from untrusted/external sources targeting Samba file servers or classic domain controllers
  • Flag smb.conf configurations where 'check password script' contains '%u' without single-quote escaping (i.e., not '%u') as a high-risk misconfiguration indicator for this CVE
  • Note: configurations using '%u' (with single quotes directly around %u) reduce but do not eliminate risk — command-line option injection is still possible; treat such configs as partially mitigated, not safe
  • ·Only Samba file servers and classic (non-AD) domain controllers are affected; Active Directory Domain Controllers are NOT vulnerable because they do not expand the username via the %u substitution character
  • ·Exploitation requires the non-default smb.conf setting 'rpc start on demand helpers = no', which causes samba-dcerpcd to run as a system service; in the default configuration the vulnerable code path is inaccessible
  • ·Exploitation additionally requires 'check password script' to be explicitly configured in smb.conf with the %u substitution character — this is a non-standard, non-default configuration
  • ·Affected packages span Red Hat Enterprise Linux 6–10 and Red Hat OpenShift Container Platform 4 (rhcos); no mitigation meeting Red Hat Product Security criteria is currently available

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_redhat9.0CRITICAL
vendor_ubuntu8.5HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.