ZeroPath at Black Hat USA 2026

Brief Summary: Samba CVE-2026-1933 Read-Only Share Bypass via Reparse Point Access Check Flaw

A short review of CVE-2026-1933, a high severity access control bypass in Samba that allows authenticated users to modify reparse point metadata on read-only shares. Includes technical details, patch information, and affected version guidance.

CVE Analysis

10 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-27

Brief Summary: Samba CVE-2026-1933 Read-Only Share Bypass via Reparse Point Access Check Flaw
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A missing access check in Samba's reparse point handling allows authenticated users to silently subvert the read only = yes share directive, one of the most fundamental security boundaries administrators configure on SMB exports. For any organization running Samba 4.21 or later with read-only shares where users also hold underlying filesystem write permissions, CVE-2026-1933 means that the "read only" label on those shares has been a suggestion rather than an enforcement for every release since the reparse point feature shipped.

This vulnerability, scored CVSS 7.1 (High), was disclosed and patched on May 26, 2026, as part of a larger Samba security release that also addresses two unauthenticated remote code execution flaws. The combination makes this release cycle one of the more consequential Samba updates in recent memory.

Technical Information

Root Cause: Missing SMB Layer Access Checks on Reparse Point Operations

Starting with Samba 4.21, the server gained the ability to create and delete NTFS-style reparse points via the SMB protocol. Reparse point metadata is stored in two extended attributes on the underlying filesystem:

  • user.SmbReparse: Contains the reparse point data itself
  • user.DosAttrib: Carries the FILE_ATTRIBUTE_REPARSE_POINT bit flag

Writing to these xattrs requires filesystem-level write permissions on the underlying file. However, the code path that handles reparse point set and delete operations never consulted Samba's own higher-level access enforcement. Specifically, neither the read only = yes share directive nor read-only file handle semantics were checked before the server allowed modifications to the reparse point xattrs.

This is a classic case of a new feature being added without integrating it into the existing authorization framework. Every other write operation on a read only = yes share goes through SMB-layer access checks that deny the operation. The reparse point code path simply skipped this step entirely.

The vulnerability is classified under CWE-284: Improper Access Control, which MITRE defines as "the product does not restrict or incorrectly restricts access to a resource from an unauthorized actor."

CVSS Vector Breakdown

The CVSS v3 vector is AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H, which breaks down as follows:

ComponentValueInterpretation
Attack VectorNetworkExploitable remotely over SMB
Attack ComplexityLowNo special conditions required
Privileges RequiredLowAny authenticated user is sufficient
User InteractionNoneNo victim action needed
ScopeUnchangedImpact confined to the vulnerable component
ConfidentialityNoneNo direct information disclosure
IntegrityLowModification of file metadata and behavior
AvailabilityHighCan render files or entire filesystems unusable

The Availability impact rated High is notable. An attacker can convert all files on a share into reparse point types (most commonly symbolic links), rendering the entire export unusable for legitimate clients.

Attack Flow

Exploitation requires three preconditions to be met simultaneously:

  1. Valid SMB authentication credentials: The attacker must be able to authenticate to the Samba server. Any low-privilege account is sufficient.
  2. Network access to the SMB service: Standard TCP port 445 connectivity.
  3. Filesystem-level write permissions: The attacker's mapped POSIX user must have write permissions on at least one file within a share configured with read only = yes.

With these preconditions satisfied, the attack proceeds as follows:

  1. The attacker authenticates to the Samba server and connects to a share marked read only = yes.
  2. The attacker issues an SMB reparse point set operation against a target file. This operation modifies the user.SmbReparse xattr and sets the FILE_ATTRIBUTE_REPARSE_POINT bit in user.DosAttrib.
  3. Because the reparse point code path does not check the share's read-only configuration or the file handle's access mode, the server processes the operation successfully.
  4. The target file is now seen by all SMB clients (Windows and Linux) as a reparse point, most commonly a symbolic link pointing to an attacker-controlled path.

The most prominent exploitation scenario involves converting existing files into symbolic links. This could redirect client file access to unintended locations on the server, potentially allowing access to data outside the intended share boundary. At scale, an attacker could convert every file on a share into a symlink, creating a denial-of-service condition where the entire export becomes unusable.

The denial-of-service condition is reversible. An administrator can restore normal operation by removing the user.SmbReparse xattr and clearing the FILE_ATTRIBUTE_REPARSE_POINT bit from user.DosAttrib on affected files using tools like setfattr.

The Permission Model Tension

This vulnerability highlights a common but dangerous configuration pattern: environments where the same user accounts have both SMB access to read-only shares and direct filesystem write permissions (via SSH, local access, or other non-SMB pathways). Administrators often assume that read only = yes at the SMB layer provides complete protection regardless of underlying filesystem permissions. CVE-2026-1933 demonstrates that this assumption was invalid for reparse point operations since Samba 4.21.

Patch Information

The Samba project released upstream security patches on May 26, 2026 in three new stable releases:

ReleaseReplacesDownload
Samba 4.24.34.24.2Available from download.samba.org/pub/samba/stable/
Samba 4.23.84.23.7Available from download.samba.org/pub/samba/stable/
Samba 4.22.104.22.9Available from download.samba.org/pub/samba/stable/

All three releases are signed with GnuPG key ID AA99442FB680B620. Incremental diff files (e.g., samba-4.24.2-4.24.3.diffs.gz) are also available for those building from source.

The fix adds the required access checks so that Samba now properly enforces its own share-level and handle-level read-only semantics before permitting any modification to the reparse point xattrs. The patch was authored by Volker Lendecke and Stefan Metzmacher of the Samba team. The vulnerability was originally reported by Asim Viladi Oglu Manizada. The fix is tracked as Samba Bug #15992.

These releases also patch five additional CVEs (CVE-2026-2340, CVE-2026-3012, CVE-2026-3238, CVE-2026-4408, CVE-2026-4480), including two unauthenticated RCE vulnerabilities. This makes the upgrade critical beyond just CVE-2026-1933.

Downstream Distribution Patches

  • Ubuntu: USN-8306-1 published May 26, 2026. Fixed packages for Ubuntu 26.04 LTS (2:4.23.6+dfsg-1ubuntu2.1) and Ubuntu 25.10 (2:4.22.3+dfsg-4ubuntu2.4). Older releases (24.04 LTS, 22.04 LTS) are not affected as their Samba versions predate the 4.21 introduction of reparse point support.
  • Debian: Fixed in trixie (security) at version 2:4.22.8+dfsg-0+deb13u2 and in sid at 2:4.24.3+dfsg-1. Bullseye and bookworm are not affected. Tracked at the Debian Security Tracker.
  • SUSE: Advisory SUSE-SU-2026:2076-1 (rated critical) with the fix in Samba package version 4.21.10+git.501.277ba349a01-150700.3.26.1 for SUSE Linux Enterprise 15 SP7.
  • Red Hat: RHSA-2026:7292 rated Important security impact.
  • Amazon Linux 2 and Amazon Linux 2023: Confirmed not affected, as their Samba packages do not include the vulnerable reparse point feature.

Workaround for Deferred Patching

For organizations unable to immediately upgrade, the Samba team provides an official workaround: ensure that users who access a read only = yes share do not have filesystem-level write permission to the exported files. This can be implemented by adjusting POSIX permissions on exported directories and files so that SMB user accounts have read-only access at the filesystem level. This workaround may not be feasible in environments where the same users legitimately need filesystem write access for non-SMB workflows.

Affected Systems and Versions

All versions of Samba since 4.21 are affected. The reparse point feature was introduced in Samba 4.21, so versions prior to 4.21 are not vulnerable.

Specifically affected version ranges:

  • Samba 4.21.x (all releases)
  • Samba 4.22.x through 4.22.9
  • Samba 4.23.x through 4.23.7
  • Samba 4.24.x through 4.24.2

Fixed versions:

  • Samba 4.22.10
  • Samba 4.23.8
  • Samba 4.24.3

The vulnerable configuration requires a share with read only = yes where authenticated SMB users also have underlying POSIX filesystem write permissions on the exported files. Shares where users lack filesystem write permissions are not exploitable even on unpatched versions.

Distributions confirmed not affected include Ubuntu 24.04 LTS, Ubuntu 22.04 LTS, Debian bullseye, Debian bookworm, Amazon Linux 2, and Amazon Linux 2023, as their Samba packages predate the 4.21 feature introduction.

Vendor Security History

The Samba project has a long track record of public security disclosures dating back to 2001, maintained on their security updates page. The project follows a responsible disclosure model and has historically provided timely patches. Notable past vulnerabilities include CVE-2016-2124 and CVE-2020-25717 (both related to authentication and authorization flaws) and CVE-2024-12085 (information disclosure in Samba Rsync).

The May 26, 2026 security release is larger than average, patching six CVEs simultaneously. The inclusion of two unauthenticated RCE vulnerabilities (CVE-2026-4408 in the DCE/RPC SAMR server and CVE-2026-4480 in the printing subsystem) alongside CVE-2026-1933 suggests that the 4.21 codebase introduced several security regressions when new features were added. This pattern of new features introducing access control gaps is consistent with the broader CWE-284 category and underscores the risk of SMB protocol feature expansion without proportionate security review.

The Samba team's stated philosophy is "Our Code, Our Bugs, Our Responsibility," and the coordinated multi-version release with standalone patch files and signed tarballs reflects a mature security response process.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization