Description
A flaw was found in Samba. A remote attacker can exploit a misconfiguration in Samba file servers and classic domain controllers that use the "check password script" feature. If this script is configured with the %u substitution character, the client-controlled username is passed without proper escaping of shell meta-characters. This vulnerability allows an attacker to achieve remote command execution on the affected system. This issue primarily affects non-standard configurations where the "check password script" is used with %u and the samba-dcerpcd service is started as a system service.
Problem types
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Product status
0:4.23.5-109.el10_2 (rpm) before *
0:4.19.4-16.el8_10 (rpm) before *
0:4.19.4-16.el8_10 (rpm) before *
Timeline
| 2026-05-19: | Reported to Red Hat. |
| 2026-05-26: | Made public. |
Credits
Red Hat would like to thank John Walker (ZeroPath) and Ron Ben Yizhak (SafeBreach) for reporting this issue.
References
access.redhat.com/errata/RHSA-2026:22644 (RHSA-2026:22644)
access.redhat.com/errata/RHSA-2026:22963 (RHSA-2026:22963)
access.redhat.com/security/cve/CVE-2026-4408
bugzilla.redhat.com/show_bug.cgi?id=2479762 (RHBZ#2479762)
bugzilla.samba.org/show_bug.cgi?id=16034