How is CVE-2026-3238 exploited?

Network reachability (required): The attacker must be able to reach the WINS service over the network; the vulnerable UDP port must be accessible from the attacker's position. Authentication (not-required): No credentials or account of any kind are needed; the malformed UDP packet alone is sufficient to trigger the crash. Victim interaction (not-required): The attack is entirely remote and passive; no user on the target system needs to take any action for exploitation to succeed. Attack complexity (info): Exploitation is reliable and condition-free; crafting a malformed WINS request requires no special timing, memory layout knowledge, or environmental pre-condition.

What is the impact of CVE-2026-3238?

Crashes the Samba WINS service, interrupting WINS-based NetBIOS name resolution for all clients that depend on it. Forces a service restart to restore availability, creating a window of disruption for Active Directory environments that rely on WINS. Repeated crashes can be used to sustain a denial-of-service condition against the AD DC, degrading domain controller reliability.

Back to search

HIGHCVE-2026-3238Published 2026-06-08Modified 2026-06-08CNA redhat

CVE-2026-3238: Samba: denial of service against ad dc wins server

A flaw was found in Samba’s WINS server component when running as an Active Directory Domain Controller. The WINS protocol handlers for certain request types did not properly validate incoming packets, allowing an unauthenticated remote attacker to trigger a NULL pointer dereference and crash the WINS service using specially crafted UDP packets.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 7

HarborGuard Analysis

Synopsis

A NULL pointer dereference in Samba's WINS server component, present when Samba is running as an Active Directory Domain Controller, allows an unauthenticated remote attacker to crash the WINS service by sending specially crafted UDP packets over the network. No authentication or victim interaction is needed; the attacker only needs network access to the exposed WINS port. Successful exploitation disrupts WINS name resolution, taking down the service until it is restarted. No upstream fix has been published yet; HarborGuard is tracking the advisory and will make a patched-image rebuild available the moment a fix version is released.

HarborGuard Coverage

Detection

Detection of CVE-2026-3238 is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds, including Red Hat's security data stream, within minutes of publication and matched against all customer images, including custom-built images that bundle Samba or RHEL base layers. Any image found to carry an affected Samba version is flagged immediately in the customer's pipeline results.

Available

Triage

Triage is available using the published CVSS v3.1 score of 7.5 (HIGH), with per-environment compliance policy weighting applied so teams with stricter denial-of-service sensitivity can escalate the finding above its base score. Routed findings land in the correct team inbox based on each customer org's configured ownership rules.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks the Red Hat advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an updated Samba package is released. In the interim, the finding remains open and visible in each affected environment's vulnerability queue so remediation can be prioritized as soon as a patch becomes available.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must be able to reach the WINS service over the network; the vulnerable UDP port must be accessible from the attacker's position.
AuthenticationNot required
No credentials or account of any kind are needed; the malformed UDP packet alone is sufficient to trigger the crash.
Victim interactionNot required
The attack is entirely remote and passive; no user on the target system needs to take any action for exploitation to succeed.
Attack complexityDetail
Exploitation is reliable and condition-free; crafting a malformed WINS request requires no special timing, memory layout knowledge, or environmental pre-condition.

Blast Radius

Crashes the Samba WINS service, interrupting WINS-based NetBIOS name resolution for all clients that depend on it.
Forces a service restart to restore availability, creating a window of disruption for Active Directory environments that rely on WINS.
Repeated crashes can be used to sustain a denial-of-service condition against the AD DC, degrading domain controller reliability.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for CVE-2026-3238 at this time, the CVE is flagged as open on every image carrying an affected Samba build across RHEL 6, 7, 8, 9, 10, and Red Hat OpenShift Container Platform 4. HarborGuard re-checks the Red Hat advisory feed on each ingest cycle; the moment a patched Samba package is published, a rebuilt image becomes available, and customers with auto-remediation enabled will receive an automated rebuild, regression-test run, and a PR opened against affected workloads. In the interim, compensating controls worth evaluating include network-policy rules that restrict UDP access to the WINS port to only trusted internal segments, egress filtering to limit lateral reachability of the DC, and disabling the WINS server role entirely if NetBIOS name resolution is not actively required in the environment.

See how HarborGuard automates this

Affected packages

Red Hat / Red Hat Enterprise Linux 10
Red Hat / Red Hat Enterprise Linux 6
Red Hat / Red Hat Enterprise Linux 6
Red Hat / Red Hat Enterprise Linux 7
Red Hat / Red Hat Enterprise Linux 8
Red Hat / Red Hat Enterprise Linux 9
Red Hat / Red Hat OpenShift Container Platform 4

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

Metrics

Get notified