Samba print-command subsystem — unauthenticated shell injection via %J substitution; raw/classic printing only (CVSS 10.0)

The Samba Project shipped coordinated releases 4.22.10 / 4.23.8 / 4.24.3 on 2026-05-27 covering six CVEs; two reach CVSS 10.0. CVE-2026-4408 is a shell-metacharacter injection in SamValidatePasswordChange and SamValidatePasswordReset RPC handlers in the Samba DCE/RPC SAMR server — the client-controlled username is substituted into the check password script smb.conf option via %u without escaping. Prerequisites are non-default but real: a check password script containing %u must be configured, and samba-dcerpcd must be running as a system service (which requires the non-default rpc start on demand helpers = no). AD DCs are unaffected. CVE-2026-4480 is a parallel injection in the print-command path: the %J substitution in the print command smb.conf option is fed the client-controlled job description without sanitisation; guest printing is on by default and the prerequisites are raw / classic printing backend (not CUPS / iprint). ANSSI / CERT-FR advisory CERTFR-2026-AVI-0651 and the Samba-team announcement on oss-security corroborate the disclosure. No public exploit observed. Patch immediately; if a same-day patch is impossible, remove %u from check password script and wrap %J in single quotes in print command.