oss-sec mailing list archives
Samba 4.24.3, 4.23.8 and 4.22.10 Security Releases are available for Download
From: Douglas Bagnall <douglas.bagnall () catalyst net nz>
Date: Wed, 27 May 2026 16:39:06 +1200
-------- Forwarded Message --------Subject: [Announce] Samba 4.24.3, 4.23.8 and 4.22.10 Security Releases are available for Download
Date: Tue, 26 May 2026 14:29:50 +0200From: Stefan Metzmacher via samba-technical <samba-technical () lists samba org>
Reply-To: Stefan Metzmacher <metze () samba org>To: samba-announce () lists samba org, samba () lists samba org, samba-technical () lists samba org
Release Announcements
---------------------
This is a security release in order to address the following defects:
o CVE-2026-1933: Missing access checks on reparse point operations
On a share marked "read only = yes" and
on file handles opened R/O users can set
or delete the reparse point xattrs on files
that the user has write-access in the file
system for.
https://www.samba.org/samba/security/CVE-2026-1933.html
o CVE-2026-2340: WORM vfs module does not block overwrites
The WORM (Write-Once, Read Many) vfs module
is supposed to lock write access to shared
files, so they cannot be altered after initial
writes. It was allowing files to be overwritten
by renaming a newly created file over a protected
file.
https://www.samba.org/samba/security/CVE-2026-2340.html
o CVE-2026-3012: auto-enrolment GPO installing CA certificate over http
without verification
To bootstrap a certificate chain a domain member must
fetch a certificate without TLS. It was trusting HTTP
for this when a more secure encrypted LDAP channel
was also available.
https://www.samba.org/samba/security/CVE-2026-3012.html
o CVE-2026-3238: Denial of service against AD DC WINS server
The WINS server component of the Active
Directory Domain controller code in Samba
is vulnerable to a NULL pointer dereference
and crash caused by a unauthenticated UDP
packet.
https://www.samba.org/samba/security/CVE-2026-3238.html
o CVE-2026-4408: Unauthenticated Remote Code Execution in Samba
DCE/RPC SAMR
server
Samba file servers and classic (non-AD) domain
controllers
with samba-dcerpcd started as a system service and
with a
"check password script" that has the %u substitution
character are vulnerable to a remote code execution.
https://www.samba.org/samba/security/CVE-2026-4408.html
o CVE-2026-4480: Unauthenticated Remote Code Execution in Samba printing
subsystem
Samba print servers with a "print command"
that has the %J substitution character
are vulnerable to a Remote Code Execution.
https://www.samba.org/samba/security/CVE-2026-4480.html
Changes
-------
o Douglas Bagnall <douglas.bagnall () catalyst net nz>
* BUG 15997: CVE-2026-2340
* BUG 16003: CVE-2026-3012
* BUG 16033: CVE-2026-4480
* BUG 16034: CVE-2026-4408
o Pavel Kohout <pavel () aisle com>
* BUG 15997: CVE-2026-2340
o Volker Lendecke <vl () samba org>
* BUG 15992: CVE-2026-1933
* BUG 16012: CVE-2026-3238
o Stefan Metzmacher <metze () samba org>
* BUG 15992: CVE-2026-1933
* BUG 16033: CVE-2026-4480
* BUG 16034: CVE-2026-4408
* BUG 16059: (4.23-only) CVE-2026-40170: thirdparty ngtcp2 needs to
be updated
* BUG 16073: (4.22/23-only) Winbind can change Ownership Of / To A
User Who
has Homedir / In passwd
#######################################
Reporting bugs & Development Discussion
#######################################
Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical:matrix.org matrix room, or
#samba-technical IRC channel on irc.libera.chat.
If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored. All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).
======================================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
======================================================================
================
Download Details
================
The uncompressed tarballs and patch files have been signed
using GnuPG (ID AA99442FB680B620). The source code can be downloaded
from:
https://download.samba.org/pub/samba/stable/
The release notes are available online at:
https://www.samba.org/samba/history/samba-4.24.3.html
https://www.samba.org/samba/history/samba-4.23.8.html
https://www.samba.org/samba/history/samba-4.22.10.html
Our Code, Our Bugs, Our Responsibility.
(https://bugzilla.samba.org/)
--Enjoy
The Samba Team
Current thread:
- Heads-up: Upcoming Samba security releases (2026-04-09) Douglas Bagnall (Apr 05)
- Re: Heads-up: Upcoming Samba security releases (2026-04-09) Douglas Bagnall (Apr 07)
- Re: Re: Heads-up: Upcoming Samba security releases (2026-04-09) Douglas Bagnall (Apr 08)
- Heads-up: Upcoming Samba security releases (2026-05-26) Douglas Bagnall (May 19)
- Samba 4.24.3, 4.23.8 and 4.22.10 Security Releases are available for Download Douglas Bagnall (May 26)
- Re: Re: Heads-up: Upcoming Samba security releases (2026-04-09) Douglas Bagnall (Apr 08)
- Re: Heads-up: Upcoming Samba security releases (2026-04-09) Douglas Bagnall (Apr 07)
