Samba Remote Cmd Exec via Unsanitized %u in check password script
CVE-2026-4408 Published on May 28, 2026
Samba: remote code execution in samr
A flaw was found in Samba. A remote attacker can exploit a misconfiguration in Samba file servers and classic domain controllers that use the "check password script" feature. If this script is configured with the %u substitution character, the client-controlled username is passed without proper escaping of shell meta-characters. This vulnerability allows an attacker to achieve remote command execution on the affected system. This issue primarily affects non-standard configurations where the "check password script" is used with %u and the samba-dcerpcd service is started as a system service.
Vulnerability Analysis
CVE-2026-4408 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.
Timeline
Reported to Red Hat.
Made public. 7 days later.
Weakness Type
What is a Shell injection Vulnerability?
The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
CVE-2026-4408 has been classified to as a Shell injection vulnerability or weakness.
Products Associated with CVE-2026-4408
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2026-4408 are published in these products:
Affected Versions
Red Hat Enterprise Linux 10:- Version 0:4.23.5-109.el10_2 and below * is unaffected.
- Version 0:4.21.3-114.el10_0.1 and below * is unaffected.
- Version 0:4.10.16-26.el7_9.1 and below * is unaffected.
- Version 0:4.10.16-26.el7_9.1 and below * is unaffected.
- Version 0:4.19.4-16.el8_10 and below * is unaffected.
- Version 0:4.19.4-16.el8_10 and below * is unaffected.
- Version 0:4.13.3-12.el8_4.1 and below * is unaffected.
- Version 0:4.13.3-12.el8_4.1 and below * is unaffected.
- Version 0:4.15.5-16.el8_6.1 and below * is unaffected.
- Version 0:4.15.5-16.el8_6.1 and below * is unaffected.
- Version 0:4.17.5-7.el8_8.1 and below * is unaffected.
- Version 0:4.17.5-7.el8_8.1 and below * is unaffected.
- Version 0:4.23.5-10.el9_8 and below * is unaffected.
- Version 0:4.23.5-10.el9_8 and below * is unaffected.
- Version 0:4.17.5-105.el9_2.5 and below * is unaffected.
- Version 0:4.19.4-105.el9_4.4 and below * is unaffected.
- Version 0:4.21.3-14.el9_6.1 and below * is unaffected.
- Version 4.19.9.6.202606241344-0 and below * is unaffected.
- Version 4.20.9.6.202606241928-0 and below * is unaffected.
- Version 4.21.9.6.202606241859-0 and below * is unaffected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.