ZeroPath at Black Hat USA 2026

Samba CVE-2026-4408: Overview of Unauthenticated Remote Code Execution via SAMR Password Script Injection

A brief summary of CVE-2026-4408, a critical unauthenticated remote code execution vulnerability in Samba's SAMR server caused by unescaped shell meta-characters in the check password script feature. Includes patch details and affected version information.

CVE Analysis

10 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-28

Samba CVE-2026-4408: Overview of Unauthenticated Remote Code Execution via SAMR Password Script Injection
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A shell meta-character injection flaw in Samba's SAMR password validation service allows unauthenticated attackers to execute arbitrary commands on servers that use the "check password script" feature with the %u substitution placeholder. The Samba project itself rates this vulnerability at CVSS 10.0, and the fact that it was independently discovered by two separate security research teams (SafeBreach and ZeroPath) raises the probability that threat actors may also be aware of the flaw.

While the vulnerable configuration is non-default, which limits the immediate blast radius, the near-universal deployment of Samba across Linux distributions means the aggregate number of potentially affected systems is significant. This is especially true for organizations running custom Samba configurations on file servers or classic domain controllers, where the "check password script" feature is most likely to be in use.

Technical Information

Root Cause: CWE-78 OS Command Injection

CVE-2026-4408 is an unauthenticated remote code execution vulnerability in the Samba DCE/RPC SAMR (Security Account Manager Remote) server. The root cause is a classic CWE-78 (Improper Neutralization of Special Elements used in an OS Command) weakness in how Samba handles the %u substitution character within the check password script configuration directive.

When Samba's SamValidatePasswordChange or SamValidatePasswordReset RPC services operate over the NCACN_IP_TCP protocol transport, they invoke the administrator-configured check password script from smb.conf. If that script uses the %u placeholder, Samba expands it with the client-supplied username. Critically, this expansion occurs without escaping shell meta-characters. The username string is passed directly to the system shell, meaning any shell operators embedded in the username (semicolons, pipes, ampersands, dollar signs, backticks) are interpreted as shell syntax rather than literal characters.

This is the same weakness class as the notorious CVE-2007-2447, a Samba command injection from 2007 that was widely exploited in the wild. The recurrence of this pattern nearly two decades later, in a different subsystem but with the same fundamental mechanism, is notable.

CVSS Score Discrepancy

There is a meaningful disagreement across scoring bodies on the severity of this vulnerability:

Scoring BodyCVSS VersionScore
NVD3.19.0
Samba Project3.110.0
SUSE3.19.9
SUSE4.09.4

The Samba project's vector string is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, reflecting their assessment that the attack requires no authentication, no user interaction, has low complexity, and achieves changed scope with full impact across confidentiality, integrity, and availability. Organizations should use the highest applicable score for risk prioritization.

Attack Flow

An attacker exploits this vulnerability through the following sequence:

  1. Network connection: The attacker connects to the Samba DCE/RPC SAMR service over NCACN_IP_TCP. No authentication is required.

  2. Crafted RPC request: The attacker sends a SamValidatePasswordChange or SamValidatePasswordReset RPC request containing a malicious username with embedded shell meta-characters (e.g., user; malicious_command).

  3. Unescaped substitution: The Samba server substitutes the attacker-controlled username into the check password script at the %u position without any sanitization or escaping.

  4. Shell interpretation: The system shell executing the script interprets the meta-characters, running the injected command with the privileges of the samba-dcerpcd process.

The entire chain requires no credentials, no user interaction, and no special timing conditions beyond the vulnerable configuration being present.

Required Configuration Conditions

Exploitation requires three non-default configuration conditions to be simultaneously present:

ConditionDefault SettingVulnerable Setting
check password script uses %uNot configuredScript path includes %u substitution
rpc start on demand helpersyesno (causes samba-dcerpcd to run as system service)
Samba roleVariesFile server or classic (non-AD) domain controller

Active Directory Domain Controllers are not affected because they do not expand the username via the %u substitution character.

Why Single-Quote Wrapping Is Insufficient

The Samba advisory notes that wrapping %u in single quotes in the configuration (e.g., check password script = /path/to/script '%u') reduces but does not eliminate risk. While this blocks shell command injection via operators like ;, injection of command-line options remains possible. An attacker could craft a username that introduces options altering the behavior of the invoked script. This is a mitigation, not a fix.

Companion Vulnerability: CVE-2026-4480

CVE-2026-4480, disclosed alongside CVE-2026-4408, is another unauthenticated RCE in the Samba printing subsystem. It also involves unescaped shell characters in client-controlled input passed to configured commands, specifically through print job descriptions. Administrators face two simultaneous critical patching obligations, and both vulnerabilities should be addressed together.

Patch Information

The Samba project released coordinated security updates on May 26, 2026, in the form of versions 4.24.3, 4.23.8, and 4.22.10, all of which contain the fix for CVE-2026-4408. Downloadable patch files and source tarballs are available from the official Samba security page. The upstream fix is tracked under Samba Bugzilla Bug 16034.

The fix ensures that the username value substituted into %u is properly sanitized before being passed to the system shell, preventing injection of arbitrary shell commands through a crafted username. Even quoting %u with single quotes in the script configuration was insufficient before the patch, as command-line option injection was still possible. The patched code path now neutralizes these attack vectors.

The patches were authored by Stefan Metzmacher (SerNet / Samba Team) and Douglas Bagnall (Catalyst / Samba Team), with the advisory co-written by Volker Lendecke and Stefan Metzmacher.

Distribution-Specific Updates

Downstream Linux distributions rapidly adopted the upstream fix:

DistributionAdvisorySeverityDetails
Red Hat Enterprise LinuxRHSA-2026:8322CriticalIncludes CVE-2026-4408
Red Hat Enterprise LinuxRHSA-2026:15980ImportantIncludes CVE-2026-4408
UbuntuUSN-8306-1Not specifiedPackages for 22.04 LTS (2:4.15.13+dfsg-0ubuntu1.12), 24.04 LTS (2:4.19.5+dfsg-4ubuntu9.6), 25.10 (2:4.22.3+dfsg-4ubuntu2.4), 26.04 LTS (2:4.23.6+dfsg-1ubuntu2.1)
SUSESUSE-SU-2026:2076-1CriticalSUSE Linux Enterprise 15 SP7 products
SUSE (SLE 12 SP5)SUSE-SU-2026:2073-1CriticalAlso addresses CVE-2026-4480
DebianDSA-6297-1Not specifiedFixed in bookworm-security (2:4.17.12+dfsg-0+deb12u4), trixie-security (2:4.22.8+dfsg-0+deb13u2), sid (2:4.24.3+dfsg-1). Bullseye remains vulnerable.
Amazon LinuxALAS CVE-2026-4408PendingAmazon Linux 2 and 2023 show "Pending Fix" status

Workaround When Patching Is Not Immediately Possible

For administrators who cannot immediately upgrade, the official advisory describes a workaround: remove %u from the check password script configuration in smb.conf and instead retrieve the username from the SAMBA_CPS_ACCOUNT_NAME environment variable inside the script itself. This eliminates the injection vector entirely without requiring a software update.

Additionally, leaving the rpc start on demand helpers setting at its default value of yes ensures samba-dcerpcd is started in a manner that makes the vulnerable code path inaccessible.

Network segmentation to restrict access to Samba DCE/RPC services (particularly NCACN_IP_TCP on the SAMR pipe) to trusted networks only is also recommended as a defense-in-depth measure.

Affected Systems and Versions

According to the official Samba advisory, all versions of Samba are affected by this vulnerability, provided the vulnerable configuration conditions are met.

The three required conditions are:

  1. The check password script directive in smb.conf uses the %u substitution character
  2. samba-dcerpcd is started as a system service (i.e., rpc start on demand helpers = no)
  3. Samba is running as a file server or classic (non-AD) domain controller

Active Directory Domain Controllers are not affected, as they do not expand the username via %u.

Patched versions are:

BranchFixed Version
4.24.x4.24.3
4.23.x4.23.8
4.22.x4.22.10

Vendor Security History

Samba has a documented history of security vulnerabilities, with several notable entries that provide context for CVE-2026-4408:

CVEYearTypeSeverity
CVE-2007-24472007Remote command injection via username in external scriptsCritical
CVE-2021-441422021Remote code execution via shared folder accessCritical
CVE-2023-349682023Path disclosure via Spotlight protocolModerate
CVE-2024-120852024Information disclosure in Samba RsyncModerate
CVE-2026-44082026Unauthenticated RCE via SAMR check password scriptCritical
CVE-2026-44802026Unauthenticated RCE via printing subsystemCritical

The parallel between CVE-2007-2447 and CVE-2026-4408 is particularly striking. Both involve passing user-controlled input to external scripts without proper escaping of shell meta-characters. CVE-2007-2447 was widely exploited after disclosure, and the recurrence of this exact weakness class nearly two decades later suggests that external script invocations remain a persistent source of command injection risk in the Samba codebase.

The Samba project has consistently demonstrated a responsive security process, releasing patches across multiple release branches simultaneously and coordinating effectively with downstream Linux distributors. The rapid rollout of fixes from Red Hat, Ubuntu, SUSE, and Debian within days of disclosure reflects strong vendor coordination.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization