Bug 2497358

Summary: CVE-2026-4408 samba: Remote Code Execution in SAMR [fedora-all]
Product: [Fedora] Fedora Reporter: Sandipan Roy <saroy>
Component: sambaAssignee: Guenther Deschner <gdeschner>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: high    
Version: rawhideCC: abokovoy, anoopcs, asn, gdeschner, pfilipen, sbose, ssorce
Target Milestone: ---Keywords: Security, SecurityTracking
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: {"flaws": ["44ead5f6-1b67-4e9f-83f0-6f72a3ccd913"]}
Fixed In Version: samba-4.24.3-1.fc45 samba-4.24.3-1.fc44 samba-4.23.8-1.fc43 Doc Type: ---
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2026-07-10 13:53:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2479762    

Description Sandipan Roy 2026-07-06 14:35:43 UTC
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.

Samba file servers and classic (non-AD) domain controllers offer the
SamValidatePasswordChange and SamValidatePasswordReset RPC services on the
SAMR DCE/RPC service when running over NCACN_IP_TCP. Both services pass a
username and password to the "check password script" that can be configured
in smb.conf.

If the "check password script" is configured with the %u
substitution character, the client-controlled username is passed to
the "check password script" without escaping shell meta-characters,
leading to a remote command execution vulnerability.

This is a non-standard configuration in several ways:

It affects Samba file servers and classic (non-AD) domain controllers
that have the "check password script" configured with the %u
substitution character. Active Directory Domain Controllers are not
affected, they do not expand the username via the %u substitution
character.

The problem is much less dangerous if %u has single quotes directly
around it, e.g. '%u', but it's still possible to inject
command line options.

Standard Samba file servers and classic domain controllers are also
only affected if the samba-dcerpcd service is started as a system
service, which can only happen if "rpc start on demand helpers" is set
to the non-default setting "no". In the default configuration for
DCE/RPC, smbd starts the samba-dcerpcd in a way that makes the
vulnerable code inaccessible.