HarborGuard / CVE
Back to search
CRITICALCVE-2026-4408Published Modified CNA redhat

CVE-2026-4408: Samba: remote code execution in samr

A flaw was found in Samba. A remote attacker can exploit a misconfiguration in Samba file servers and classic domain controllers that use the "check password script" feature. If this script is configured with the %u substitution character, the client-controlled username is passed without proper escaping of shell meta-characters. This vulnerability allows an attacker to achieve remote command execution on the affected system. This issue primarily affects non-standard configurations where the "check password script" is used with %u and the samba-dcerpcd service is started as a system service.

HarborGuard Analysis

HarborGuard analysis

Synopsis

A shell meta-character injection flaw in Samba's "check password script" feature allows a remote, unauthenticated attacker to execute arbitrary commands on affected file servers and classic domain controllers. The vulnerability is reachable over the network and requires no credentials; exploitation is limited to non-standard configurations where the "check password script" is set with the %u substitution character and samba-dcerpcd runs as a system service. Successful exploitation gives the attacker full remote code execution on the host, with high impact to confidentiality, integrity, and availability. No upstream fix has been published yet; HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as an upstream fix is released.

HarborGuard Coverage

Detection

Detection for CVE-2026-4408 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds (including Red Hat's security data) within minutes of publication and matched against all customer images, including custom-built images that bundle Samba or ship Red Hat Enterprise Linux base layers.

Available
Triage

Triage is available using the CVSS v3.1 score of 9.0 (Critical), weighted against each customer environment's compliance policy to determine urgency and routing. Findings are routed to the appropriate team inbox within each customer org based on image ownership and policy configuration.

Available
Patch

Because no fix version has been published, HarborGuard re-checks this advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. In the interim, compensating controls such as network-policy isolation and egress filtering can be applied through HarborGuard's policy engine where supported.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Samba service over the network; the CVSS vector specifies AV:N, meaning no local access or physical proximity is required.

  • AuthenticationNot required

    No credentials are needed; the attacker supplies a crafted username through the unauthenticated portion of the Samba protocol handshake.

  • Victim interactionNot required

    No user interaction is required; the attacker triggers the flaw entirely through their own network requests.

  • Attack complexityDetail

    Attack complexity is rated High (AC:H), meaning the attacker must contend with specific preconditions: the target must be running the "check password script" with %u substitution and have samba-dcerpcd running as a system service.

Blast Radius

  • Executes arbitrary shell commands as the user running samba-dcerpcd, which in affected configurations is typically a system-level account.
  • Reads sensitive files on the host including credentials, Kerberos keytabs, and any data accessible to the Samba process.
  • Modifies or deletes files and configurations on the host, including shared filesystems served to domain clients.
  • Crashes or disrupts the Samba service and connected domain infrastructure, affecting availability for all clients relying on the domain controller or file server.

How HarborGuard Handles This

Available on HarborGuard: because no upstream patch exists for CVE-2026-4408 at this time, the advisory is re-evaluated on every ingest cycle so that a patched-image rebuild becomes available immediately when Red Hat publishes a fix. For environments with auto-remediation enabled, that rebuild will trigger a regression test run and a PR opened against affected workloads without manual intervention. While no patch is available, customers can use HarborGuard's policy engine to flag or block deployment of images containing affected Samba versions, apply network-policy isolation to limit inbound access to Samba RPC endpoints, and gate the vulnerable configuration (check password script with %u) through feature-flag or configuration policy enforcement. Customers whose compliance policy requires documented compensating controls will find this CVE surfaced at Critical severity in their findings queue for manual review.

See how HarborGuard automates this

Metrics

CVSS v3.1
9.0
Severity
CRITICAL
Fixed in
Affected Products
7
Affected packages
  • Red Hat / Red Hat Enterprise Linux 10
  • Red Hat / Red Hat Enterprise Linux 6
  • Red Hat / Red Hat Enterprise Linux 6
  • Red Hat / Red Hat Enterprise Linux 7
  • Red Hat / Red Hat Enterprise Linux 8
  • Red Hat / Red Hat Enterprise Linux 9
  • Red Hat / Red Hat OpenShift Container Platform 4
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
References