{"schema_version":"1.7.2","id":"OESA-2026-2576","modified":"2026-06-05T15:49:00Z","published":"2026-06-05T15:49:00Z","upstream":["CVE-2026-3012","CVE-2026-3238","CVE-2026-4408","CVE-2026-4480"],"summary":"samba security update","details":"Samba is a suite of programs for Linux and Unix to interoperate with Windows.\r\n\r\nSecurity Fix(es):\n\nA flaw was found in Samba's certificate auto-enrollment Group Policy handling. When certificate auto-enrollment is enabled, Samba may retrieve a CA certificate over an unencrypted HTTP connection and install it into the local trust store without proper verification. An attacker with the ability to intercept or redirect network traffic could exploit this behavior to supply a malicious certificate authority certificate, potentially allowing interception or spoofing of trusted communications.(CVE-2026-3012)\n\n['-------- Forwarded Message --------', 'Date: Tue, 26 May 2026 14:29:50 +0200', 'Reply-To: Stefan Metzmacher <metze () samba org>', 'Release Announcements\\n---------------------\\n\\nThis is a security release in order to address the following defects:\\n\\no CVE-2026-1933:   Missing access checks on reparse point operations\\n\\n                   On a share marked "read only = yes" and\\n                   on file handles opened R/O users can set\\n                   or delete the reparse point xattrs on files\\n                   that the user has write-access in the file\\n                   system for.', 'o CVE-2026-2340:   WORM vfs module does not block overwrites\\n\\n                   The WORM (Write-Once, Read Many) vfs module\\n                   is supposed to lock write access to shared\\n                   files, so they cannot be altered after initial\\n                   writes. It was allowing files to be overwritten\\n                   by renaming a newly created file over a protected\\n                   file.', 'o CVE-2026-3012:   auto-enrolment GPO installing CA certificate over http\\n                   without verification\\n\\n                   To bootstrap a certificate chain a domain member must\\n                   fetch a certificate without TLS. It was trusting HTTP\\n                   for this when a more secure encrypted LDAP channel\\n                   was also available.', 'o CVE-2026-3238:   Denial of service against AD DC WINS server\\n\\n                   The WINS server component of the Active\\n                   Directory Domain controller code in Samba\\n                   is vulnerable to a NULL pointer dereference\\n                   and crash caused by a unauthenticated UDP\\n                   packet.', 'server', '"check password script" that has the %u substitution\\n                   character are vulnerable to a remote code execution.', 'o CVE-2026-4480:   Unauthenticated Remote Code Execution in Samba printing\\n                   subsystem\\n\\n                   Samba print servers with a "print command"\\n                   that has the %J substitution character\\n                   are vulnerable to a Remote Code Execution.', 'Changes\\n-------\\n\\no  Douglas Bagnall <douglas.bagnall () catalyst net nz>\\n   * BUG 15997: CVE-2026-2340\\n   * BUG 16003: CVE-2026-3012\\n   * BUG 16033: CVE-2026-4480\\n   * BUG 16034: CVE-2026-4408\\n\\no  Pavel Kohout <pavel () aisle com>\\n   * BUG 15997: CVE-2026-2340\\n\\no  Volker Lendecke <vl () samba org>\\n   * BUG 15992: CVE-2026-1933\\n   * BUG 16012: CVE-2026-3238\\n\\no  Stefan Metzmacher <metze () samba org>\\n   * BUG 15992: CVE-2026-1933\\n   * BUG 16033: CVE-2026-4480\\n   * BUG 16034: CVE-2026-4408', "has Homedir / In passwd\\n\\n#######################################\\nReporting bugs & Development Discussion\\n#######################################\\n\\nPlease discuss this release on the samba-technical mailing list or by\\njoining the #samba-technical:matrix.org matrix room, or\\n#samba-technical IRC channel on irc.libera.chat.\\n\\nIf you do report problems then please try to send high quality\\nfeedback. If you don't provide vital information to help us track down\\nthe problem then you will probably be ignored.  All bug reports should\\nbe filed under the Samba 4.1 and newer product in the project's Bugzilla\\ndatabase (", ').\\n\\n\\n======================================================================\\n== Our Code, Our Bugs, Our Responsibility.\\n== The Samba Team\\n======================================================================\\n\\n\\n\\n================\\nDownload Details\\n================\\n\\nThe uncompressed tarballs and patch files have been signed\\nusing GnuPG (ID AA99442FB680B620).  The source code can be downloaded\\nfrom:', 'The release notes are available online at:', 'Our Code, Our Bugs, Our Responsibility.\\n(', ')\\n\\n                        --Enjoy\\n                        The Samba Team'](CVE-2026-3238)\n\nA flaw was found in Samba. A remote attacker can exploit a misconfiguration in Samba file servers and classic domain controllers that use the "check password script" feature. If this script is configured with the %u substitution character, the client-controlled username is passed without proper escaping of shell meta-characters. This vulnerability allows an attacker to achieve remote command execution on the affected system. This issue primarily affects non-standard configurations where the "check password script" is used with %u and the samba-dcerpcd service is started as a system service.(CVE-2026-4408)\n\nA flaw was found in the Samba printing subsystem. Samba passes the client-controlled job description string to the command configured with the 'print command' setting via the '%J' substitution character without escaping shell meta characters. A remote attacker could exploit this vulnerability by sending a specially crafted print job description that contains unescaped shell characters. This could lead to remote code execution on the affected system.(CVE-2026-4480)","affected":[{"package":{"ecosystem":"openEuler:24.03-LTS-SP3","name":"samba","purl":"pkg:rpm/openEuler/samba&distro=openEuler-24.03-LTS-SP3"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.19.3-9.oe2403sp3"}]}],"ecosystem_specific":{"aarch64":["ctdb-4.19.3-9.oe2403sp3.aarch64.rpm","libsmbclient-4.19.3-9.oe2403sp3.aarch64.rpm","libsmbclient-devel-4.19.3-9.oe2403sp3.aarch64.rpm","libwbclient-4.19.3-9.oe2403sp3.aarch64.rpm","libwbclient-devel-4.19.3-9.oe2403sp3.aarch64.rpm","python3-samba-4.19.3-9.oe2403sp3.aarch64.rpm","python3-samba-dc-4.19.3-9.oe2403sp3.aarch64.rpm","python3-samba-test-4.19.3-9.oe2403sp3.aarch64.rpm","samba-4.19.3-9.oe2403sp3.aarch64.rpm","samba-client-4.19.3-9.oe2403sp3.aarch64.rpm","samba-client-libs-4.19.3-9.oe2403sp3.aarch64.rpm","samba-common-4.19.3-9.oe2403sp3.aarch64.rpm","samba-common-tools-4.19.3-9.oe2403sp3.aarch64.rpm","samba-dc-4.19.3-9.oe2403sp3.aarch64.rpm","samba-dc-bind-dlz-4.19.3-9.oe2403sp3.aarch64.rpm","samba-dc-libs-4.19.3-9.oe2403sp3.aarch64.rpm","samba-dc-provision-4.19.3-9.oe2403sp3.aarch64.rpm","samba-debuginfo-4.19.3-9.oe2403sp3.aarch64.rpm","samba-debugsource-4.19.3-9.oe2403sp3.aarch64.rpm","samba-devel-4.19.3-9.oe2403sp3.aarch64.rpm","samba-help-4.19.3-9.oe2403sp3.aarch64.rpm","samba-krb5-printing-4.19.3-9.oe2403sp3.aarch64.rpm","samba-libs-4.19.3-9.oe2403sp3.aarch64.rpm","samba-test-4.19.3-9.oe2403sp3.aarch64.rpm","samba-tools-4.19.3-9.oe2403sp3.aarch64.rpm","samba-usershares-4.19.3-9.oe2403sp3.aarch64.rpm","samba-winbind-4.19.3-9.oe2403sp3.aarch64.rpm","samba-winbind-clients-4.19.3-9.oe2403sp3.aarch64.rpm","samba-winbind-krb5-locator-4.19.3-9.oe2403sp3.aarch64.rpm","samba-winbind-modules-4.19.3-9.oe2403sp3.aarch64.rpm"],"noarch":["samba-pidl-4.19.3-9.oe2403sp3.noarch.rpm"],"src":["samba-4.19.3-9.oe2403sp3.src.rpm"],"x86_64":["ctdb-4.19.3-9.oe2403sp3.x86_64.rpm","libsmbclient-4.19.3-9.oe2403sp3.x86_64.rpm","libsmbclient-devel-4.19.3-9.oe2403sp3.x86_64.rpm","libwbclient-4.19.3-9.oe2403sp3.x86_64.rpm","libwbclient-devel-4.19.3-9.oe2403sp3.x86_64.rpm","python3-samba-4.19.3-9.oe2403sp3.x86_64.rpm","python3-samba-dc-4.19.3-9.oe2403sp3.x86_64.rpm","python3-samba-test-4.19.3-9.oe2403sp3.x86_64.rpm","samba-4.19.3-9.oe2403sp3.x86_64.rpm","samba-client-4.19.3-9.oe2403sp3.x86_64.rpm","samba-client-libs-4.19.3-9.oe2403sp3.x86_64.rpm","samba-common-4.19.3-9.oe2403sp3.x86_64.rpm","samba-common-tools-4.19.3-9.oe2403sp3.x86_64.rpm","samba-dc-4.19.3-9.oe2403sp3.x86_64.rpm","samba-dc-bind-dlz-4.19.3-9.oe2403sp3.x86_64.rpm","samba-dc-libs-4.19.3-9.oe2403sp3.x86_64.rpm","samba-dc-provision-4.19.3-9.oe2403sp3.x86_64.rpm","samba-debuginfo-4.19.3-9.oe2403sp3.x86_64.rpm","samba-debugsource-4.19.3-9.oe2403sp3.x86_64.rpm","samba-devel-4.19.3-9.oe2403sp3.x86_64.rpm","samba-help-4.19.3-9.oe2403sp3.x86_64.rpm","samba-krb5-printing-4.19.3-9.oe2403sp3.x86_64.rpm","samba-libs-4.19.3-9.oe2403sp3.x86_64.rpm","samba-test-4.19.3-9.oe2403sp3.x86_64.rpm","samba-tools-4.19.3-9.oe2403sp3.x86_64.rpm","samba-usershares-4.19.3-9.oe2403sp3.x86_64.rpm","samba-vfs-glusterfs-4.19.3-9.oe2403sp3.x86_64.rpm","samba-winbind-4.19.3-9.oe2403sp3.x86_64.rpm","samba-winbind-clients-4.19.3-9.oe2403sp3.x86_64.rpm","samba-winbind-krb5-locator-4.19.3-9.oe2403sp3.x86_64.rpm","samba-winbind-modules-4.19.3-9.oe2403sp3.x86_64.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2576"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-3012"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-3238"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-4408"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-4480"}],"database_specific":{"severity":"Critical"}}