Introduction
A missing access check in Samba's reparse point handling allows authenticated users to silently subvert the read only = yes share directive, one of the most fundamental security boundaries administrators configure on SMB exports. For any organization running Samba 4.21 or later with read-only shares where users also hold underlying filesystem write permissions, CVE-2026-1933 means that the "read only" label on those shares has been a suggestion rather than an enforcement for every release since the reparse point feature shipped.
This vulnerability, scored CVSS 7.1 (High), was disclosed and patched on May 26, 2026, as part of a larger Samba security release that also addresses two unauthenticated remote code execution flaws. The combination makes this release cycle one of the more consequential Samba updates in recent memory.
Technical Information
Root Cause: Missing SMB Layer Access Checks on Reparse Point Operations
Starting with Samba 4.21, the server gained the ability to create and delete NTFS-style reparse points via the SMB protocol. Reparse point metadata is stored in two extended attributes on the underlying filesystem:
user.SmbReparse: Contains the reparse point data itselfuser.DosAttrib: Carries theFILE_ATTRIBUTE_REPARSE_POINTbit flag
Writing to these xattrs requires filesystem-level write permissions on the underlying file. However, the code path that handles reparse point set and delete operations never consulted Samba's own higher-level access enforcement. Specifically, neither the read only = yes share directive nor read-only file handle semantics were checked before the server allowed modifications to the reparse point xattrs.
This is a classic case of a new feature being added without integrating it into the existing authorization framework. Every other write operation on a read only = yes share goes through SMB-layer access checks that deny the operation. The reparse point code path simply skipped this step entirely.
The vulnerability is classified under CWE-284: Improper Access Control, which MITRE defines as "the product does not restrict or incorrectly restricts access to a resource from an unauthorized actor."
CVSS Vector Breakdown
The CVSS v3 vector is AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H, which breaks down as follows:
| Component | Value | Interpretation |
|---|---|---|
| Attack Vector | Network | Exploitable remotely over SMB |
| Attack Complexity | Low | No special conditions required |
| Privileges Required | Low | Any authenticated user is sufficient |
| User Interaction | None | No victim action needed |
| Scope | Unchanged | Impact confined to the vulnerable component |
| Confidentiality | None | No direct information disclosure |
| Integrity | Low | Modification of file metadata and behavior |
| Availability | High | Can render files or entire filesystems unusable |
The Availability impact rated High is notable. An attacker can convert all files on a share into reparse point types (most commonly symbolic links), rendering the entire export unusable for legitimate clients.
Attack Flow
Exploitation requires three preconditions to be met simultaneously:
- Valid SMB authentication credentials: The attacker must be able to authenticate to the Samba server. Any low-privilege account is sufficient.
- Network access to the SMB service: Standard TCP port 445 connectivity.
- Filesystem-level write permissions: The attacker's mapped POSIX user must have write permissions on at least one file within a share configured with
read only = yes.
With these preconditions satisfied, the attack proceeds as follows:
- The attacker authenticates to the Samba server and connects to a share marked
read only = yes. - The attacker issues an SMB reparse point set operation against a target file. This operation modifies the
user.SmbReparsexattr and sets theFILE_ATTRIBUTE_REPARSE_POINTbit inuser.DosAttrib. - Because the reparse point code path does not check the share's read-only configuration or the file handle's access mode, the server processes the operation successfully.
- The target file is now seen by all SMB clients (Windows and Linux) as a reparse point, most commonly a symbolic link pointing to an attacker-controlled path.
The most prominent exploitation scenario involves converting existing files into symbolic links. This could redirect client file access to unintended locations on the server, potentially allowing access to data outside the intended share boundary. At scale, an attacker could convert every file on a share into a symlink, creating a denial-of-service condition where the entire export becomes unusable.
The denial-of-service condition is reversible. An administrator can restore normal operation by removing the user.SmbReparse xattr and clearing the FILE_ATTRIBUTE_REPARSE_POINT bit from user.DosAttrib on affected files using tools like setfattr.
The Permission Model Tension
This vulnerability highlights a common but dangerous configuration pattern: environments where the same user accounts have both SMB access to read-only shares and direct filesystem write permissions (via SSH, local access, or other non-SMB pathways). Administrators often assume that read only = yes at the SMB layer provides complete protection regardless of underlying filesystem permissions. CVE-2026-1933 demonstrates that this assumption was invalid for reparse point operations since Samba 4.21.
Patch Information
The Samba project released upstream security patches on May 26, 2026 in three new stable releases:
| Release | Replaces | Download |
|---|---|---|
| Samba 4.24.3 | 4.24.2 | Available from download.samba.org/pub/samba/stable/ |
| Samba 4.23.8 | 4.23.7 | Available from download.samba.org/pub/samba/stable/ |
| Samba 4.22.10 | 4.22.9 | Available from download.samba.org/pub/samba/stable/ |
All three releases are signed with GnuPG key ID AA99442FB680B620. Incremental diff files (e.g., samba-4.24.2-4.24.3.diffs.gz) are also available for those building from source.
The fix adds the required access checks so that Samba now properly enforces its own share-level and handle-level read-only semantics before permitting any modification to the reparse point xattrs. The patch was authored by Volker Lendecke and Stefan Metzmacher of the Samba team. The vulnerability was originally reported by Asim Viladi Oglu Manizada. The fix is tracked as Samba Bug #15992.
These releases also patch five additional CVEs (CVE-2026-2340, CVE-2026-3012, CVE-2026-3238, CVE-2026-4408, CVE-2026-4480), including two unauthenticated RCE vulnerabilities. This makes the upgrade critical beyond just CVE-2026-1933.
Downstream Distribution Patches
- Ubuntu: USN-8306-1 published May 26, 2026. Fixed packages for Ubuntu 26.04 LTS (
2:4.23.6+dfsg-1ubuntu2.1) and Ubuntu 25.10 (2:4.22.3+dfsg-4ubuntu2.4). Older releases (24.04 LTS, 22.04 LTS) are not affected as their Samba versions predate the 4.21 introduction of reparse point support. - Debian: Fixed in trixie (security) at version
2:4.22.8+dfsg-0+deb13u2and in sid at2:4.24.3+dfsg-1. Bullseye and bookworm are not affected. Tracked at the Debian Security Tracker. - SUSE: Advisory SUSE-SU-2026:2076-1 (rated critical) with the fix in Samba package version
4.21.10+git.501.277ba349a01-150700.3.26.1for SUSE Linux Enterprise 15 SP7. - Red Hat: RHSA-2026:7292 rated Important security impact.
- Amazon Linux 2 and Amazon Linux 2023: Confirmed not affected, as their Samba packages do not include the vulnerable reparse point feature.
Workaround for Deferred Patching
For organizations unable to immediately upgrade, the Samba team provides an official workaround: ensure that users who access a read only = yes share do not have filesystem-level write permission to the exported files. This can be implemented by adjusting POSIX permissions on exported directories and files so that SMB user accounts have read-only access at the filesystem level. This workaround may not be feasible in environments where the same users legitimately need filesystem write access for non-SMB workflows.
Affected Systems and Versions
All versions of Samba since 4.21 are affected. The reparse point feature was introduced in Samba 4.21, so versions prior to 4.21 are not vulnerable.
Specifically affected version ranges:
- Samba 4.21.x (all releases)
- Samba 4.22.x through 4.22.9
- Samba 4.23.x through 4.23.7
- Samba 4.24.x through 4.24.2
Fixed versions:
- Samba 4.22.10
- Samba 4.23.8
- Samba 4.24.3
The vulnerable configuration requires a share with read only = yes where authenticated SMB users also have underlying POSIX filesystem write permissions on the exported files. Shares where users lack filesystem write permissions are not exploitable even on unpatched versions.
Distributions confirmed not affected include Ubuntu 24.04 LTS, Ubuntu 22.04 LTS, Debian bullseye, Debian bookworm, Amazon Linux 2, and Amazon Linux 2023, as their Samba packages predate the 4.21 feature introduction.
Vendor Security History
The Samba project has a long track record of public security disclosures dating back to 2001, maintained on their security updates page. The project follows a responsible disclosure model and has historically provided timely patches. Notable past vulnerabilities include CVE-2016-2124 and CVE-2020-25717 (both related to authentication and authorization flaws) and CVE-2024-12085 (information disclosure in Samba Rsync).
The May 26, 2026 security release is larger than average, patching six CVEs simultaneously. The inclusion of two unauthenticated RCE vulnerabilities (CVE-2026-4408 in the DCE/RPC SAMR server and CVE-2026-4480 in the printing subsystem) alongside CVE-2026-1933 suggests that the 4.21 codebase introduced several security regressions when new features were added. This pattern of new features introducing access control gaps is consistent with the broader CWE-284 category and underscores the risk of SMB protocol feature expansion without proportionate security review.
The Samba team's stated philosophy is "Our Code, Our Bugs, Our Responsibility," and the coordinated multi-version release with standalone patch files and signed tarballs reflects a mature security response process.
References
- Samba Security Announcement for CVE-2026-1933
- Red Hat CVE Page for CVE-2026-1933
- Red Hat Bugzilla #2447317
- Samba Bugzilla #15992
- oss-security Mailing List Disclosure
- Ubuntu Security Notice USN-8306-1
- Ubuntu CVE Tracker for CVE-2026-1933
- SUSE Advisory SUSE-SU-2026:2076-1
- Amazon Linux CVE Tracker for CVE-2026-1933
- Debian Security Tracker for CVE-2026-1933
- Samba 4.24.3 Release Notes
- Samba 4.23.8 Release Notes
- Samba 4.22.10 Release Notes
- Red Hat Advisory RHSA-2026:7292
- Samba Security Updates and History
- CWE-284: Improper Access Control
- LinuxSecurity Advisory Coverage



