Samba - Security Announcement Archive

CVE-2026-4408.html:

===========================================================
== Subject:     Unauthenticated Remote Code Execution
==		in Samba DCE/RPC SAMR server
==
== CVE ID#:     CVE-2026-4408
==
== Versions:    All versions
==
== Summary:     Samba file servers and classic (non-AD)
==		domain controllers with samba-dcerpcd
==		started as a system service and with a
==		"check password script" that has the %u
==		substitution character are vulnerable
==		to a remote code execution
===========================================================

===========
Description
===========

Samba file servers and classic (non-AD) domain controllers offer the
SamValidatePasswordChange and SamValidatePasswordReset RPC services on the
SAMR DCE/RPC service when running over NCACN_IP_TCP. Both services pass a
username and password to the "check password script" that can be configured
in smb.conf.

If the "check password script" is configured with the %u
substitution character, the client-controlled username is passed to
the "check password script" without escaping shell meta-characters,
leading to a remote command execution vulnerability.

This is a non-standard configuration in several ways:

It affects Samba file servers and classic (non-AD) domain controllers
that have the "check password script" configured with the %u
substitution character. Active Directory Domain Controllers are not
affected, they do not expand the username via the %u substitution
character.

The problem is much less dangerous if %u has single quotes directly
around it, e.g. '%u', but it's still possible to inject
command line options.

Standard Samba file servers and classic domain controllers are also
only affected if the samba-dcerpcd service is started as a system
service, which can only happen if "rpc start on demand helpers" is set
to the non-default setting "no". In the default configuration for
DCE/RPC, smbd starts the samba-dcerpcd in a way that makes the
vulnerable code inaccessible.

==================
Patch Availability
==================

Patches addressing this issue have been posted to:

    https://www.samba.org/samba/security/

Additionally, Samba 4.22.10, 4.23.8 and 4.24.3 have been issued
as security releases to correct the defect.  Samba administrators are
advised to upgrade to these releases or apply the patch as soon
as possible.

==================
CVSSv3 calculation
==================

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H 10.0

==========
Workaround
==========

Start samba-dcerpc on demand, i.e. leave "rpc start on demand helpers"
at its default setting "yes".

Change your "check password script" to not rely on the username passed
via %u but instead retrieve the username from the
SAMBA_CPS_ACCOUNT_NAME environment variable, remove %u from the
"check password script" setting.

=======
Credits
=======

Originally reported by:
- Ron Ben Yizhak with SafeBreach.
- John Walker with ZeroPath.

Patches provided by:
- Stefan Metzmacher of Sernet and the Samba team.
- Douglas.bagnall of Catalyst and the Samba team.

This advisory by Volker Lendecke and Stefan Metzmacher
of Sernet and the Samba team.

==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================