Bug 2497358 - CVE-2026-4408 samba: Remote Code Execution in SAMR [fedora-all]
Summary: CVE-2026-4408 samba: Remote Code Execution in SAMR [fedora-all]
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: samba
Version: rawhide
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
Assignee: Guenther Deschner
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: {"flaws": ["44ead5f6-1b67-4e9f-83f0-6...
Depends On:
Blocks: CVE-2026-4408
TreeView+ depends on / blocked
 
Reported: 2026-07-06 14:35 UTC by Sandipan Roy
Modified: 2026-07-10 13:53 UTC (History)
7 users (show)

Fixed In Version: samba-4.24.3-1.fc45 samba-4.24.3-1.fc44 samba-4.23.8-1.fc43
Clone Of:
Environment:
Last Closed: 2026-07-10 13:53:00 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Sandipan Roy 2026-07-06 14:35:43 UTC
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.

Samba file servers and classic (non-AD) domain controllers offer the
SamValidatePasswordChange and SamValidatePasswordReset RPC services on the
SAMR DCE/RPC service when running over NCACN_IP_TCP. Both services pass a
username and password to the "check password script" that can be configured
in smb.conf.

If the "check password script" is configured with the %u
substitution character, the client-controlled username is passed to
the "check password script" without escaping shell meta-characters,
leading to a remote command execution vulnerability.

This is a non-standard configuration in several ways:

It affects Samba file servers and classic (non-AD) domain controllers
that have the "check password script" configured with the %u
substitution character. Active Directory Domain Controllers are not
affected, they do not expand the username via the %u substitution
character.

The problem is much less dangerous if %u has single quotes directly
around it, e.g. '%u', but it's still possible to inject
command line options.

Standard Samba file servers and classic domain controllers are also
only affected if the samba-dcerpcd service is started as a system
service, which can only happen if "rpc start on demand helpers" is set
to the non-default setting "no". In the default configuration for
DCE/RPC, smbd starts the samba-dcerpcd in a way that makes the
vulnerable code inaccessible.


Note You need to log in before you can comment on or make changes to this bug.