[oss-security] Samba 4.24.3, 4.23.8 and 4.22.10 Security Releases are available for Download

Tue, 26 May 2026 22:38:42 -0700 




-------- Forwarded Message --------

Subject: [Announce] Samba 4.24.3, 4.23.8 and 4.22.10 Security Releases 
are available for Download

Date: Tue, 26 May 2026 14:29:50 +0200

From: Stefan Metzmacher via samba-technical 
<[email protected]>

Reply-To: Stefan Metzmacher <[email protected]>

To: [email protected], [email protected], 
[email protected]


Release Announcements
---------------------

This is a security release in order to address the following defects:

o CVE-2026-1933:   Missing access checks on reparse point operations

                   On a share marked "read only = yes" and
                   on file handles opened R/O users can set
                   or delete the reparse point xattrs on files
                   that the user has write-access in the file
                   system for.

                   https://www.samba.org/samba/security/CVE-2026-1933.html


o CVE-2026-2340:   WORM vfs module does not block overwrites

                   The WORM (Write-Once, Read Many) vfs module
                   is supposed to lock write access to shared
                   files, so they cannot be altered after initial
                   writes. It was allowing files to be overwritten
                   by renaming a newly created file over a protected
                   file.

                   https://www.samba.org/samba/security/CVE-2026-2340.html


o CVE-2026-3012:   auto-enrolment GPO installing CA certificate over http
                   without verification

                   To bootstrap a certificate chain a domain member must
                   fetch a certificate without TLS. It was trusting HTTP
                   for this when a more secure encrypted LDAP channel
                   was also available.

                   https://www.samba.org/samba/security/CVE-2026-3012.html


o CVE-2026-3238:   Denial of service against AD DC WINS server

                   The WINS server component of the Active
                   Directory Domain controller code in Samba
                   is vulnerable to a NULL pointer dereference
                   and crash caused by a unauthenticated UDP
                   packet.

                   https://www.samba.org/samba/security/CVE-2026-3238.html



o CVE-2026-4408:   Unauthenticated Remote Code Execution in Samba 
DCE/RPC SAMR

                   server


                   Samba file servers and classic (non-AD) domain 
controllers
                   with samba-dcerpcd started as a system service and 
with a

                   "check password script" that has the %u substitution
                   character are vulnerable to a remote code execution.

                   https://www.samba.org/samba/security/CVE-2026-4408.html


o CVE-2026-4480:   Unauthenticated Remote Code Execution in Samba printing
                   subsystem

                   Samba print servers with a "print command"
                   that has the %J substitution character
                   are vulnerable to a Remote Code Execution.

                   https://www.samba.org/samba/security/CVE-2026-4480.html


Changes
-------

o  Douglas Bagnall <[email protected]>
   * BUG 15997: CVE-2026-2340
   * BUG 16003: CVE-2026-3012
   * BUG 16033: CVE-2026-4480
   * BUG 16034: CVE-2026-4408

o  Pavel Kohout <[email protected]>
   * BUG 15997: CVE-2026-2340

o  Volker Lendecke <[email protected]>
   * BUG 15992: CVE-2026-1933
   * BUG 16012: CVE-2026-3238

o  Stefan Metzmacher <[email protected]>
   * BUG 15992: CVE-2026-1933
   * BUG 16033: CVE-2026-4480
   * BUG 16034: CVE-2026-4408

   * BUG 16059: (4.23-only) CVE-2026-40170: thirdparty ngtcp2 needs to 
be updated
   * BUG 16073: (4.22/23-only) Winbind can change Ownership Of / To A 
User Who

     has Homedir / In passwd

#######################################
Reporting bugs & Development Discussion
#######################################

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical:matrix.org matrix room, or
#samba-technical IRC channel on irc.libera.chat.

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).


======================================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
======================================================================



================
Download Details
================

The uncompressed tarballs and patch files have been signed
using GnuPG (ID AA99442FB680B620).  The source code can be downloaded
from:

        https://download.samba.org/pub/samba/stable/

The release notes are available online at:

        https://www.samba.org/samba/history/samba-4.24.3.html
        https://www.samba.org/samba/history/samba-4.23.8.html
        https://www.samba.org/samba/history/samba-4.22.10.html

Our Code, Our Bugs, Our Responsibility.
(https://bugzilla.samba.org/)

                        --Enjoy
                        The Samba Team























					Reply via email to