ctipilot.ch

Samba print-command subsystem — unauthenticated shell injection via %J substitution; raw/classic printing only (CVSS 10.0)

cve · CVE-2026-4480

Coverage timeline
2
first 2026-05-25 → last 2026-05-31
Peak priority
high
2 high
Sources cited
4
3 hosts
Sections touched
2
trending-vulnerabilities, weekly-top-stories
Co-occurring entities
1
see Related entities below
ATT&CK techniques
0
no mapped behavior yet

Story timeline

  1. 2026-05-29CVE-2026-4408 & CVE-2026-4480 — Samba: unauthenticated RCE in SAMR RPC and print-command subsystems (CVSS 10.0)
    trending-vulnerabilities
  2. 2026-05-25CVE-2026-4408 / CVE-2026-4480 — Samba dual unauthenticated RCE (CVSS 10.0), patch window closed mid-week
    weekly-top-stories

Where this entity is cited

  • weekly-top-stories1
  • trending-vulnerabilities1

Source distribution

  • samba.org2 (50%)
  • cert.ssi.gouv.fr1 (25%)
  • openwall.com1 (25%)

Co-occurring entities

Derived — referenced by the same focused operational entries (weekly summaries and report roundups don't count); ×N counts the shared entries.

Entries about Samba print-command subsystem — unauthenticated shell injection via %J substitution; raw/classic printing only (CVSS 10.0) (2)

2026-05-29 · view entry permalink →

CVE-2026-4408 & CVE-2026-4480 — Samba: unauthenticated RCE in SAMR RPC and print-command subsystems (CVSS 10.0)

The Samba Project shipped coordinated releases 4.22.10 / 4.23.8 / 4.24.3 on 2026-05-27 covering six CVEs; two reach CVSS 10.0. CVE-2026-4408 is a shell-metacharacter injection in SamValidatePasswordChange and SamValidatePasswordReset RPC handlers in the Samba DCE/RPC SAMR server — the client-controlled username is substituted into the check password script smb.conf option via %u without escaping. Prerequisites are non-default but real: a check password script containing %u must be configured, and samba-dcerpcd must be running as a system service (which requires the non-default rpc start on demand helpers = no). AD DCs are unaffected. CVE-2026-4480 is a parallel injection in the print-command path: the %J substitution in the print command smb.conf option is fed the client-controlled job description without sanitisation; guest printing is on by default and the prerequisites are raw / classic printing backend (not CUPS / iprint). ANSSI / CERT-FR advisory CERTFR-2026-AVI-0651 and the Samba-team announcement on oss-security corroborate the disclosure. No public exploit observed. Patch immediately; if a same-day patch is impossible, remove %u from check password script and wrap %J in single quotes in print command.

the client-controlled username is passed to the 'check password script' without escaping shell meta-characters

Samba Project

Unauthenticated Remote Code Execution in Samba printing subsystem

oss-security / Samba team
vulnerability29 May 05:00Zmulti-sourceOpen finding ↗

2026-05-25 · view entry permalink →

CVE-2026-4408 / CVE-2026-4480 — Samba dual unauthenticated RCE (CVSS 10.0), patch window closed mid-week

If you did nothing this week: unpatched Samba servers expose two unauthenticated remote-code-execution paths rated CVSS 10.0. There is no public confirmation of in-the-wild exploitation yet — but the disclosure-to-exploit interval on a pre-auth 10.0 in software this ubiquitous is the gap a SOC manager should assume is closing, not open.

The Samba project disclosed (2026-05-27, covered 2026-05-29) that a client-controlled username is passed to the "check password script" without escaping shell metacharacters (CVE-2026-4408) — this path is reachable only where a check password script (%u) is configured and samba-dcerpcd runs as a service, i.e. a non-default but common enterprise configuration — alongside a separate unauthenticated RCE in the printing subsystem (CVE-2026-4480), which is reachable where %J is used in the print command (CUPS/IPP backends are unaffected). Both 10.0 paths therefore depend on specific — non-default but common in enterprise estates — print and authentication configurations rather than affecting every install. CERT-FR issued CERTFR-2026-AVI-0651. Samba underpins a large share of public-sector, education and healthcare file-sharing and, in some estates, the AD domain controller. Patch to the fixed builds; where patching lags, disable the printing path, audit for the check password script setting, and restrict SMB reachability — this is the week's highest-severity item where the gap between exposure and compromise is whether the patch landed before someone weaponises a 10.0.

synthesis25 May 05:00Zmulti-sourceOpen finding ↗