Follow @Openwall on Twitter for new release announcements and other news
[<prev] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <f591083f-b117-4829-a7dc-f8214cb5848e@catalyst.net.nz>
Date: Wed, 27 May 2026 16:39:06 +1200
From: Douglas Bagnall <douglas.bagnall@...alyst.net.nz>
To: oss-security@...ts.openwall.com
Subject: Samba 4.24.3, 4.23.8 and 4.22.10 Security Releases are available for
 Download




-------- Forwarded Message --------
Subject: [Announce] Samba 4.24.3, 4.23.8 and 4.22.10 Security Releases 
are available for Download
Date: Tue, 26 May 2026 14:29:50 +0200
From: Stefan Metzmacher via samba-technical 
<samba-technical@...ts.samba.org>
Reply-To: Stefan Metzmacher <metze@...ba.org>
To: samba-announce@...ts.samba.org, samba@...ts.samba.org, 
samba-technical@...ts.samba.org

Release Announcements
---------------------

This is a security release in order to address the following defects:

o CVE-2026-1933:   Missing access checks on reparse point operations

                    On a share marked "read only = yes" and
                    on file handles opened R/O users can set
                    or delete the reparse point xattrs on files
                    that the user has write-access in the file
                    system for.

                    https://www.samba.org/samba/security/CVE-2026-1933.html


o CVE-2026-2340:   WORM vfs module does not block overwrites

                    The WORM (Write-Once, Read Many) vfs module
                    is supposed to lock write access to shared
                    files, so they cannot be altered after initial
                    writes. It was allowing files to be overwritten
                    by renaming a newly created file over a protected
                    file.

                    https://www.samba.org/samba/security/CVE-2026-2340.html


o CVE-2026-3012:   auto-enrolment GPO installing CA certificate over http
                    without verification

                    To bootstrap a certificate chain a domain member must
                    fetch a certificate without TLS. It was trusting HTTP
                    for this when a more secure encrypted LDAP channel
                    was also available.

                    https://www.samba.org/samba/security/CVE-2026-3012.html


o CVE-2026-3238:   Denial of service against AD DC WINS server

                    The WINS server component of the Active
                    Directory Domain controller code in Samba
                    is vulnerable to a NULL pointer dereference
                    and crash caused by a unauthenticated UDP
                    packet.

                    https://www.samba.org/samba/security/CVE-2026-3238.html


o CVE-2026-4408:   Unauthenticated Remote Code Execution in Samba 
DCE/RPC SAMR
                    server

                    Samba file servers and classic (non-AD) domain 
controllers
                    with samba-dcerpcd started as a system service and 
with a
                    "check password script" that has the %u substitution
                    character are vulnerable to a remote code execution.

                    https://www.samba.org/samba/security/CVE-2026-4408.html


o CVE-2026-4480:   Unauthenticated Remote Code Execution in Samba printing
                    subsystem

                    Samba print servers with a "print command"
                    that has the %J substitution character
                    are vulnerable to a Remote Code Execution.

                    https://www.samba.org/samba/security/CVE-2026-4480.html


Changes
-------

o  Douglas Bagnall <douglas.bagnall@...alyst.net.nz>
    * BUG 15997: CVE-2026-2340
    * BUG 16003: CVE-2026-3012
    * BUG 16033: CVE-2026-4480
    * BUG 16034: CVE-2026-4408

o  Pavel Kohout <pavel@...le.com>
    * BUG 15997: CVE-2026-2340

o  Volker Lendecke <vl@...ba.org>
    * BUG 15992: CVE-2026-1933
    * BUG 16012: CVE-2026-3238

o  Stefan Metzmacher <metze@...ba.org>
    * BUG 15992: CVE-2026-1933
    * BUG 16033: CVE-2026-4480
    * BUG 16034: CVE-2026-4408
    * BUG 16059: (4.23-only) CVE-2026-40170: thirdparty ngtcp2 needs to 
be updated
    * BUG 16073: (4.22/23-only) Winbind can change Ownership Of / To A 
User Who
      has Homedir / In passwd

#######################################
Reporting bugs & Development Discussion
#######################################

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical:matrix.org matrix room, or
#samba-technical IRC channel on irc.libera.chat.

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).


======================================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
======================================================================



================
Download Details
================

The uncompressed tarballs and patch files have been signed
using GnuPG (ID AA99442FB680B620).  The source code can be downloaded
from:

         https://download.samba.org/pub/samba/stable/

The release notes are available online at:

         https://www.samba.org/samba/history/samba-4.24.3.html
         https://www.samba.org/samba/history/samba-4.23.8.html
         https://www.samba.org/samba/history/samba-4.22.10.html

Our Code, Our Bugs, Our Responsibility.
(https://bugzilla.samba.org/)

                         --Enjoy
                         The Samba Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.