Samba file servers and classic (non-AD) domain controllers offer the SamValidatePasswordChange and SamValidatePasswordReset RPC services on the SAMR DCE/RPC service when running over NCACN_IP_TCP. Both services pass a username and password to the "check password script" that can be configured in smb.conf. If the "check password script" is configured with the %u substitution character, the client-controlled username is passed to the "check password script" without escaping shell meta-characters, leading to a remote command execution vulnerability. This is a non-standard configuration in several ways: It affects Samba file servers and classic (non-AD) domain controllers that have the "check password script" configured with the %u substitution character. Active Directory Domain Controllers are not affected, they do not expand the username via the %u substitution character. The problem is much less dangerous if %u has single quotes directly around it, e.g. '%u', but it's still possible to inject command line options. Standard Samba file servers and classic domain controllers are also only affected if the samba-dcerpcd service is started as a system service, which can only happen if "rpc start on demand helpers" is set to the non-default setting "no". In the default configuration for DCE/RPC, smbd starts the samba-dcerpcd in a way that makes the vulnerable code inaccessible.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2026:22644 https://access.redhat.com/errata/RHSA-2026:22644
This issue has been addressed in the following products: Red Hat Enterprise Linux 10 Via RHSA-2026:22963 https://access.redhat.com/errata/RHSA-2026:22963
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2026:25049 https://access.redhat.com/errata/RHSA-2026:25049