Introduction
A shell meta-character injection flaw in Samba's SAMR password validation service allows unauthenticated attackers to execute arbitrary commands on servers that use the "check password script" feature with the %u substitution placeholder. The Samba project itself rates this vulnerability at CVSS 10.0, and the fact that it was independently discovered by two separate security research teams (SafeBreach and ZeroPath) raises the probability that threat actors may also be aware of the flaw.
While the vulnerable configuration is non-default, which limits the immediate blast radius, the near-universal deployment of Samba across Linux distributions means the aggregate number of potentially affected systems is significant. This is especially true for organizations running custom Samba configurations on file servers or classic domain controllers, where the "check password script" feature is most likely to be in use.
Technical Information
Root Cause: CWE-78 OS Command Injection
CVE-2026-4408 is an unauthenticated remote code execution vulnerability in the Samba DCE/RPC SAMR (Security Account Manager Remote) server. The root cause is a classic CWE-78 (Improper Neutralization of Special Elements used in an OS Command) weakness in how Samba handles the %u substitution character within the check password script configuration directive.
When Samba's SamValidatePasswordChange or SamValidatePasswordReset RPC services operate over the NCACN_IP_TCP protocol transport, they invoke the administrator-configured check password script from smb.conf. If that script uses the %u placeholder, Samba expands it with the client-supplied username. Critically, this expansion occurs without escaping shell meta-characters. The username string is passed directly to the system shell, meaning any shell operators embedded in the username (semicolons, pipes, ampersands, dollar signs, backticks) are interpreted as shell syntax rather than literal characters.
This is the same weakness class as the notorious CVE-2007-2447, a Samba command injection from 2007 that was widely exploited in the wild. The recurrence of this pattern nearly two decades later, in a different subsystem but with the same fundamental mechanism, is notable.
CVSS Score Discrepancy
There is a meaningful disagreement across scoring bodies on the severity of this vulnerability:
| Scoring Body | CVSS Version | Score |
|---|---|---|
| NVD | 3.1 | 9.0 |
| Samba Project | 3.1 | 10.0 |
| SUSE | 3.1 | 9.9 |
| SUSE | 4.0 | 9.4 |
The Samba project's vector string is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, reflecting their assessment that the attack requires no authentication, no user interaction, has low complexity, and achieves changed scope with full impact across confidentiality, integrity, and availability. Organizations should use the highest applicable score for risk prioritization.
Attack Flow
An attacker exploits this vulnerability through the following sequence:
-
Network connection: The attacker connects to the Samba DCE/RPC SAMR service over
NCACN_IP_TCP. No authentication is required. -
Crafted RPC request: The attacker sends a
SamValidatePasswordChangeorSamValidatePasswordResetRPC request containing a malicious username with embedded shell meta-characters (e.g.,user; malicious_command). -
Unescaped substitution: The Samba server substitutes the attacker-controlled username into the
check password scriptat the%uposition without any sanitization or escaping. -
Shell interpretation: The system shell executing the script interprets the meta-characters, running the injected command with the privileges of the
samba-dcerpcdprocess.
The entire chain requires no credentials, no user interaction, and no special timing conditions beyond the vulnerable configuration being present.
Required Configuration Conditions
Exploitation requires three non-default configuration conditions to be simultaneously present:
| Condition | Default Setting | Vulnerable Setting |
|---|---|---|
check password script uses %u | Not configured | Script path includes %u substitution |
rpc start on demand helpers | yes | no (causes samba-dcerpcd to run as system service) |
| Samba role | Varies | File server or classic (non-AD) domain controller |
Active Directory Domain Controllers are not affected because they do not expand the username via the %u substitution character.
Why Single-Quote Wrapping Is Insufficient
The Samba advisory notes that wrapping %u in single quotes in the configuration (e.g., check password script = /path/to/script '%u') reduces but does not eliminate risk. While this blocks shell command injection via operators like ;, injection of command-line options remains possible. An attacker could craft a username that introduces options altering the behavior of the invoked script. This is a mitigation, not a fix.
Companion Vulnerability: CVE-2026-4480
CVE-2026-4480, disclosed alongside CVE-2026-4408, is another unauthenticated RCE in the Samba printing subsystem. It also involves unescaped shell characters in client-controlled input passed to configured commands, specifically through print job descriptions. Administrators face two simultaneous critical patching obligations, and both vulnerabilities should be addressed together.
Patch Information
The Samba project released coordinated security updates on May 26, 2026, in the form of versions 4.24.3, 4.23.8, and 4.22.10, all of which contain the fix for CVE-2026-4408. Downloadable patch files and source tarballs are available from the official Samba security page. The upstream fix is tracked under Samba Bugzilla Bug 16034.
The fix ensures that the username value substituted into %u is properly sanitized before being passed to the system shell, preventing injection of arbitrary shell commands through a crafted username. Even quoting %u with single quotes in the script configuration was insufficient before the patch, as command-line option injection was still possible. The patched code path now neutralizes these attack vectors.
The patches were authored by Stefan Metzmacher (SerNet / Samba Team) and Douglas Bagnall (Catalyst / Samba Team), with the advisory co-written by Volker Lendecke and Stefan Metzmacher.
Distribution-Specific Updates
Downstream Linux distributions rapidly adopted the upstream fix:
| Distribution | Advisory | Severity | Details |
|---|---|---|---|
| Red Hat Enterprise Linux | RHSA-2026:8322 | Critical | Includes CVE-2026-4408 |
| Red Hat Enterprise Linux | RHSA-2026:15980 | Important | Includes CVE-2026-4408 |
| Ubuntu | USN-8306-1 | Not specified | Packages for 22.04 LTS (2:4.15.13+dfsg-0ubuntu1.12), 24.04 LTS (2:4.19.5+dfsg-4ubuntu9.6), 25.10 (2:4.22.3+dfsg-4ubuntu2.4), 26.04 LTS (2:4.23.6+dfsg-1ubuntu2.1) |
| SUSE | SUSE-SU-2026:2076-1 | Critical | SUSE Linux Enterprise 15 SP7 products |
| SUSE (SLE 12 SP5) | SUSE-SU-2026:2073-1 | Critical | Also addresses CVE-2026-4480 |
| Debian | DSA-6297-1 | Not specified | Fixed in bookworm-security (2:4.17.12+dfsg-0+deb12u4), trixie-security (2:4.22.8+dfsg-0+deb13u2), sid (2:4.24.3+dfsg-1). Bullseye remains vulnerable. |
| Amazon Linux | ALAS CVE-2026-4408 | Pending | Amazon Linux 2 and 2023 show "Pending Fix" status |
Workaround When Patching Is Not Immediately Possible
For administrators who cannot immediately upgrade, the official advisory describes a workaround: remove %u from the check password script configuration in smb.conf and instead retrieve the username from the SAMBA_CPS_ACCOUNT_NAME environment variable inside the script itself. This eliminates the injection vector entirely without requiring a software update.
Additionally, leaving the rpc start on demand helpers setting at its default value of yes ensures samba-dcerpcd is started in a manner that makes the vulnerable code path inaccessible.
Network segmentation to restrict access to Samba DCE/RPC services (particularly NCACN_IP_TCP on the SAMR pipe) to trusted networks only is also recommended as a defense-in-depth measure.
Affected Systems and Versions
According to the official Samba advisory, all versions of Samba are affected by this vulnerability, provided the vulnerable configuration conditions are met.
The three required conditions are:
- The
check password scriptdirective insmb.confuses the%usubstitution character samba-dcerpcdis started as a system service (i.e.,rpc start on demand helpers = no)- Samba is running as a file server or classic (non-AD) domain controller
Active Directory Domain Controllers are not affected, as they do not expand the username via %u.
Patched versions are:
| Branch | Fixed Version |
|---|---|
| 4.24.x | 4.24.3 |
| 4.23.x | 4.23.8 |
| 4.22.x | 4.22.10 |
Vendor Security History
Samba has a documented history of security vulnerabilities, with several notable entries that provide context for CVE-2026-4408:
| CVE | Year | Type | Severity |
|---|---|---|---|
| CVE-2007-2447 | 2007 | Remote command injection via username in external scripts | Critical |
| CVE-2021-44142 | 2021 | Remote code execution via shared folder access | Critical |
| CVE-2023-34968 | 2023 | Path disclosure via Spotlight protocol | Moderate |
| CVE-2024-12085 | 2024 | Information disclosure in Samba Rsync | Moderate |
| CVE-2026-4408 | 2026 | Unauthenticated RCE via SAMR check password script | Critical |
| CVE-2026-4480 | 2026 | Unauthenticated RCE via printing subsystem | Critical |
The parallel between CVE-2007-2447 and CVE-2026-4408 is particularly striking. Both involve passing user-controlled input to external scripts without proper escaping of shell meta-characters. CVE-2007-2447 was widely exploited after disclosure, and the recurrence of this exact weakness class nearly two decades later suggests that external script invocations remain a persistent source of command injection risk in the Samba codebase.
The Samba project has consistently demonstrated a responsive security process, releasing patches across multiple release branches simultaneously and coordinating effectively with downstream Linux distributors. The rapid rollout of fixes from Red Hat, Ubuntu, SUSE, and Debian within days of disclosure reflects strong vendor coordination.
References
- NVD: CVE-2026-4408
- Samba Security Advisory: CVE-2026-4408
- Samba Bugzilla Bug 16034
- Red Hat Bugzilla: 2479762
- Red Hat CVE Page: CVE-2026-4408
- RHSA-2026:8322 Security Advisory
- RHSA-2026:15980 Security Advisory
- Ubuntu Security Notice USN-8306-1
- Debian Security Tracker: CVE-2026-4408
- SUSE-SU-2026:2076-1
- SUSE-SU-2026:2073-1
- Amazon Linux CVE-2026-4408
- Samba 4.24.3 Release Notes
- Samba 4.22.10 Release Notes
- Samba 4.24.3, 4.23.8, and 4.22.10 Released (LinuxCompatible)
- Tenable Nessus Plugin 316852
- Samba Security Updates and Information
- NVD: CVE-2026-4480
- Red Hat CVE Page: CVE-2026-4480
- Feedly CVE-2026-4408 Tracking



