Samba fixes unauthenticated and low-privilege RCE flaws in SAMR and printing
Samba released security updates 4.24.3, 4.23.8, and 4.22.10 to fix six vulnerabilities affecting SMB, Active Directory, printing, and DCE/RPC components. The most serious issues are CVE-2026-4408 and CVE-2026-4480, command-injection flaws that can lead to remote code execution in specific configurations. CVE-2026-4408 affects the SAMR DCE/RPC service when samba-dcerpcd is used with the check password script option and unsafe %u expansion, while CVE-2026-4480 affects the printing subsystem because Samba passed a client-controlled job description through the %J substitution in print command without properly escaping shell metacharacters.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Debian publishes DSA-6297-1 for Samba
Debian issued security advisory DSA-6297-1 for Samba, indicating a downstream product security update related to the Samba vulnerabilities. The reference provides the advisory publication as a distinct vendor response event.
CVE-2026-4480 is recorded in vulnerability databases
CVE-2026-4480 was recorded as a Samba printing-subsystem vulnerability involving unescaped "%J" job descriptions passed to the configured print command. The entry described possible remote code execution by a low-privileged attacker and noted references added from Red Hat and Samba bug-tracking resources.
Samba issues security releases 4.24.3, 4.23.8, and 4.22.10
The Samba Team announced security releases 4.24.3, 4.23.8, and 4.22.10 to fix six vulnerabilities affecting SMB, Active Directory, printing, DCE/RPC, HTTP-related functionality, and the AD DC WINS server. The release highlighted severe issues including CVE-2026-4408 and CVE-2026-4480, which can enable remote code execution in specific configurations.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
9 references tracked. Mallory keeps watching after this page renders.
Critical Samba Vulnerability Enables Remote Code Execution Attacks
cybersecuritynews.com
Open source[SECURITY] [DSA 6297-1] samba security update
lists.debian.org
Open sourceCVE-2026-4480 - Samba: samba: remote code execution in printing subsystem via unescaped job description
cvefeed.io
Open sourceoss-sec: Samba 4.24.3, 4.23.8 and 4.22.10 Security Releases are available for Download
seclists.org
Open sourceSamba - Security Announcement Archive
samba.org
Open sourceSamba - Security Announcement Archive
samba.org
Open source[Announce] Samba 4.24.3, 4.23.8 and 4.22.10 Security Releases are available for Download
lists.samba.org
Open source���������� � Samba, ����������� ���̣���� ���������� ���� � ������ �������������
opennet.me
Open source���������� � Samba, ����������� ���̣���� ���������� ���� � ������ �������������
opennet.ru
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Samba Command Injection Flaws Expose Internet-Facing Servers to Remote Takeover
Multiple critical Samba flaws have highlighted how non-default but dangerous configurations can turn exposed file-sharing infrastructure into a remote code execution path. `CVE-2025-10230` affects Samba's WINS server on Active Directory Domain Controllers when WINS support is enabled and a non-empty `wins hook` is configured, allowing an unauthenticated attacker to send a crafted WINS registration packet to UDP port `137` and inject shell metacharacters into a command executed by Samba, potentially with root privileges. Separately, `CVE-2026-4480` and `CVE-2026-4408`, both rated `CVSS 10.0`, affect Samba's printing subsystem and DCE/RPC SAMR server when administrators use vulnerable `print command` or `check password script` settings with `%J` or `%u` substitution characters. Samba issued fixes for the WINS flaw in versions `4.23.2`, `4.22.5`, and `4.21.9`, and for the later command-injection issues in `4.22.10`, `4.23.8`, and `4.24.3`. Reporting on internet exposure said more than 63,000 Samba assets were reachable on TCP `445`, underscoring the risk that misconfigured public SMB services could be used for server takeover, credential theft, ransomware deployment, and lateral movement. Defenders were urged to patch affected releases, audit `smb.conf` for risky `wins hook`, `print command`, and password-check script settings, monitor UDP `137` and SMB activity for suspicious behavior, and restrict external access with firewalls, VPNs, or IP allowlists.
Jun 29, 2026
Critical Samba WINS Command Injection Vulnerability Allowing Unauthenticated RCE on Domain Controllers
Samba has released a security update to address a critical remote command execution (RCE) vulnerability, tracked as CVE-2025-10230, which affects its Windows Internet Name Service (WINS) implementation when used as an Active Directory (AD) domain controller. The flaw arises because Samba does not strictly validate the wins hook script command when processing registration messages, allowing unauthenticated attackers to craft special hostnames that inject arbitrary commands into the target server. This vulnerability is rated with a maximum CVSS score of 10.0, indicating its severity and the potential for complete system compromise. The issue impacts multiple versions of Samba, specifically versions up to 4.23.1, 4.22.4, and 4.21.8, but only when Samba is configured as a domain controller with WINS support enabled and the wins hook parameter set. Systems running unaffected versions, such as Samba 4.23.2, 4.22.5, and 4.21.9 or later, are not vulnerable. The vulnerability allows attackers to execute commands with the privileges of the Samba process, which could lead to full control over the affected domain controller. Exploitation does not require authentication, significantly increasing the risk to exposed systems. Samba has released patched versions to address the flaw, and administrators are strongly urged to upgrade to the latest secure releases as soon as possible. As a temporary mitigation, organizations can disable the wins hook parameter and ensure that WINS support is not enabled unless absolutely necessary. The vulnerability is not enabled by default, but environments that have manually enabled WINS support and the wins hook parameter are at immediate risk. Security advisories recommend that users review their Samba configurations and apply the official patches or mitigations without delay. The flaw was publicly disclosed in mid-October 2025, and security researchers have highlighted the ease of exploitation and the critical nature of the risk. Organizations running Samba as an AD domain controller should prioritize remediation efforts to prevent potential compromise. The vulnerability underscores the importance of strict input validation and secure configuration practices in critical infrastructure components. The official Samba project has provided detailed guidance and download links for the patched versions. Failure to address this vulnerability could result in significant operational and security impacts, including domain-wide compromise and lateral movement by attackers. Security teams are advised to monitor for signs of exploitation and to audit their Samba deployments for vulnerable configurations.
Jun 29, 2026
Critical Drupal SAML SSO auth bypass and high-severity Samba flaws disclosed
Drupal disclosed **SA-CONTRIB-2026-031**, a critical authentication bypass vulnerability in the **SAML SSO - Service Provider** module affecting versions prior to `3.1.4`. The Canadian Centre for Cyber Security warned that organizations using the product should review Drupal’s guidance and apply the vendor update, as the flaw could allow unauthorized access through affected single sign-on deployments. Separately, Samba maintainers announced upcoming security releases for versions `4.22`, `4.23`, and `4.24` to address six vulnerabilities spanning file services, domain members, and Active Directory Domain Controller components. A follow-up correction said a **CVSS 10.0** file-services issue affects uncommon configurations rather than some configurations, and clarified that one Active Directory-related flaw impacts domain members rather than AD domain controllers; administrators were urged to deploy the Samba updates promptly after release.
Jun 29, 2026