Home / mailings [USN-8306-1] Samba vulnerabilities
Posted on 26 May 2026
Ubuntu Security==========================================================================Ubuntu Security Notice USN-8306-1
May 26, 2026
samba vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 26.04 LTS
- Ubuntu 25.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
Summary:
Several security issues were fixed in Samba.
Software Description:
- samba: SMB/CIFS file, print, and login server for Unix
Details:
Asim Viladi Oglu Manizada discovered that Samba incorrectly handled access
checks on reparse point operations. An attacker could possibly use this
issue to modify reparse point extended attributes on files that should have
been read-only. This issue only affected Ubuntu 25.10 and Ubuntu 26.04 LTS.
(CVE-2026-1933)
Pavel Kohout discovered that Samba's vfs_worm module did not properly block
file overwrites. An attacker could possibly use this issue to overwrite
files that should have remained immutable. (CVE-2026-2340)
Arad Inbar, Nir Somech, and Ben Grinberg discovered that Samba incorrectly
handled certificate auto-enrolment group policies over HTTP without
verification. A machine-in-the-middle attacker could possibly use this
issue to install a malicious CA certificate. This issue only affected
Ubuntu 24.04 LTS, Ubuntu 25.10, and Ubuntu 26.04 LTS. (CVE-2026-3012)
Arad Inbar, Erez Cohen, Nir Somech, and Ben Grinberg discovered that
Samba's Active Directory Domain Controller WINS server could be made to
crash under certain circumstances. A remote attacker could possibly use
this issue to cause a denial of service. (CVE-2026-3238)
Ron Ben Yizhak discovered that Samba's DCE/RPC SAMR server incorrectly
handled a non-default password check script configuration. A remote
attacker could possibly use this issue to execute arbitrary code.
(CVE-2026-4408)
Ron Ben Yizhak discovered that Samba's printing subsystem incorrectly
handled a non-default print command configuration. A remote attacker could
possibly use this issue to execute arbitrary code. (CVE-2026-4480)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 26.04 LTS
samba 2:4.23.6+dfsg-1ubuntu2.1
Ubuntu 25.10
samba 2:4.22.3+dfsg-4ubuntu2.4
Ubuntu 24.04 LTS
samba 2:4.19.5+dfsg-4ubuntu9.6
Ubuntu 22.04 LTS
samba 2:4.15.13+dfsg-0ubuntu1.12
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-8306-1
CVE-2026-1933, CVE-2026-2340, CVE-2026-3012, CVE-2026-3238,
CVE-2026-4408, CVE-2026-4480
Package Information:
https://launchpad.net/ubuntu/+source/samba/2:4.23.6+dfsg-1ubuntu2.1
https://launchpad.net/ubuntu/+source/samba/2:4.22.3+dfsg-4ubuntu2.4
https://launchpad.net/ubuntu/+source/samba/2:4.19.5+dfsg-4ubuntu9.6
https://launchpad.net/ubuntu/+source/samba/2:4.15.13+dfsg-0ubuntu1.12
--===============6600879021882707601==Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
