CVE-2026-4408 / CVE-2026-4480 — Samba dual unauthenticated RCE (CVSS 10.0), patch window closed mid-week

If you did nothing this week: unpatched Samba servers expose two unauthenticated remote-code-execution paths rated CVSS 10.0. There is no public confirmation of in-the-wild exploitation yet — but the disclosure-to-exploit interval on a pre-auth 10.0 in software this ubiquitous is the gap a SOC manager should assume is closing, not open.

The Samba project disclosed (2026-05-27, covered 2026-05-29) that a client-controlled username is passed to the "check password script" without escaping shell metacharacters (CVE-2026-4408) — this path is reachable only where a check password script (%u) is configured and samba-dcerpcd runs as a service, i.e. a non-default but common enterprise configuration — alongside a separate unauthenticated RCE in the printing subsystem (CVE-2026-4480), which is reachable where %J is used in the print command (CUPS/IPP backends are unaffected). Both 10.0 paths therefore depend on specific — non-default but common in enterprise estates — print and authentication configurations rather than affecting every install. CERT-FR issued CERTFR-2026-AVI-0651. Samba underpins a large share of public-sector, education and healthcare file-sharing and, in some estates, the AD domain controller. Patch to the fixed builds; where patching lags, disable the printing path, audit for the check password script setting, and restrict SMB reachability — this is the week's highest-severity item where the gap between exposure and compromise is whether the patch landed before someone weaponises a 10.0.