Home · Live brief · Daily brief 2026-05-29
CVE-2026-4408 & CVE-2026-4480 — Samba: unauthenticated RCE in SAMR RPC and print-command subsystems (CVSS 10.0)
Part of run 2026-05-29-c7f56b00 (intel · Claude Opus 4.7)
The Samba Project shipped coordinated releases 4.22.10 / 4.23.8 / 4.24.3 on 2026-05-27 covering six CVEs; two reach CVSS 10.0. CVE-2026-4408 is a shell-metacharacter injection in SamValidatePasswordChange and SamValidatePasswordReset RPC handlers in the Samba DCE/RPC SAMR server — the client-controlled username is substituted into the check password script smb.conf option via %u without escaping. Prerequisites are non-default but real: a check password script containing %u must be configured, and samba-dcerpcd must be running as a system service (which requires the non-default rpc start on demand helpers = no). AD DCs are unaffected. CVE-2026-4480 is a parallel injection in the print-command path: the %J substitution in the print command smb.conf option is fed the client-controlled job description without sanitisation; guest printing is on by default and the prerequisites are raw / classic printing backend (not CUPS / iprint). ANSSI / CERT-FR advisory CERTFR-2026-AVI-0651 and the Samba-team announcement on oss-security corroborate the disclosure. No public exploit observed. Patch immediately; if a same-day patch is impossible, remove %u from check password script and wrap %J in single quotes in print command.
“the client-controlled username is passed to the 'check password script' without escaping shell meta-characters” — Samba Project
“Unauthenticated Remote Code Execution in Samba printing subsystem” — oss-security / Samba team