Fedora Account System
Red Hat Associate
Red Hat Customer
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process. Samba file servers and classic (non-AD) domain controllers offer the SamValidatePasswordChange and SamValidatePasswordReset RPC services on the SAMR DCE/RPC service when running over NCACN_IP_TCP. Both services pass a username and password to the "check password script" that can be configured in smb.conf. If the "check password script" is configured with the %u substitution character, the client-controlled username is passed to the "check password script" without escaping shell meta-characters, leading to a remote command execution vulnerability. This is a non-standard configuration in several ways: It affects Samba file servers and classic (non-AD) domain controllers that have the "check password script" configured with the %u substitution character. Active Directory Domain Controllers are not affected, they do not expand the username via the %u substitution character. The problem is much less dangerous if %u has single quotes directly around it, e.g. '%u', but it's still possible to inject command line options. Standard Samba file servers and classic domain controllers are also only affected if the samba-dcerpcd service is started as a system service, which can only happen if "rpc start on demand helpers" is set to the non-default setting "no". In the default configuration for DCE/RPC, smbd starts the samba-dcerpcd in a way that makes the vulnerable code inaccessible.
Adressed already with last security updates: F45 https://bodhi.fedoraproject.org/updates/FEDORA-2026-9b08621bdc F44 https://bodhi.fedoraproject.org/updates/FEDORA-2026-7567819345 F43 https://bodhi.fedoraproject.org/updates/FEDORA-2026-fc81581a79