Created attachment 18867 [details] Security report
Anten Skrabec commented: Hi there, I've reserved CVE-2026-3238 for this issue. Please let us know when you have additional information to share so we can ensure the CVE +metadata is set correctly. Thanks, Anten
Created attachment 18875 [details] Patch for 4.21
Created attachment 18876 [details] Patch for 4.22
Created attachment 18877 [details] Patch for 4.23
Created attachment 18878 [details] Patch for 4.24
Created attachment 18879 [details] Patch for master I have only run a full autobuild on the master patch. I have compiled all the other ones. As this code has not changed for many years, I strongly doubt that the autobuild result will differ for the versions back to 4.21.
Created attachment 18880 [details] Draft advisory
In case someone feels inclined to take a look, from my point of view this is done for the moment.
Should we also do nbtd_winsserver_query?: diff --git i/source4/nbt_server/wins/winsserver.c w/source4/nbt_server/wins/winsserver.c index a74eae2e42b..8be2ad10813 100644 --- i/source4/nbt_server/wins/winsserver.c +++ w/source4/nbt_server/wins/winsserver.c @@ -747,13 +747,16 @@ static void nbtd_winsserver_query(struct loadparm_context *lp_ctx, struct nbtd_interface *iface = talloc_get_type(nbtsock->incoming.private_data, struct nbtd_interface); struct wins_server *winssrv = iface->nbtsrv->winssrv; - struct nbt_name *name = &packet->questions[0].name; + struct nbt_name *name = NULL; struct winsdb_record *rec; struct winsdb_record *rec_1b = NULL; const char **addresses; const char **addresses_1b = NULL; uint16_t nb_flags = 0; + NBTD_ASSERT_PACKET(packet, src, packet->qdcount > 0); + name = &packet->questions[0].name; + if (name->type == NBT_NAME_MASTER) { goto notfound; }
(In reply to Volker Lendecke from comment #7) > I have only run a full autobuild on the master patch. I have compiled all the other ones. As this code has not changed for many years, I strongly doubt that the autobuild result will differ for the versions back to 4.21. Agreed. The patches will apply as far back as 4.0.
(In reply to Douglas Bagnall from comment #10) > Should we also do nbtd_winsserver_query?: Of course, thanks!!
Created attachment 18881 [details] Patch for all versions As the patch is really the same for all versions back very very far, I named the one patch appropriately. If this is too difficult for downstream, I'll upload them again with separate names. Running CI on top of master now.
private autobuild succeeded
the security release that was scheduled for tomorrow, will be postponed due to new problems that have been identified with one of the fixes. We will announce a new release date as soon as possible after the remaining issues have been ruled out.
Scheduled release date is now 2026-05-26.
I plan to upload the releases in about 3 hours from now...
This bug was referenced in samba v4-24-stable (Release samba-4.24.3): e440829bdd9c9799ac84df703add44f58d2d5c8b e37b4645bd63be3cbba7b3521a1c858c8231a236
This bug was referenced in samba v4-23-stable (Release samba-4.23.8): 9ac7c27d30997e180f9c88d93f0f6e76238eb42f 2d7d92ef35e4496d43dd342c621b31f07d93fa71
This bug was referenced in samba v4-22-stable (Release samba-4.22.10): 4798eb7aba91f526d3e88d7dbb3fb06923d891e5 4a53add03f1eb5d44deb76d7e171fc638e9ef8d0
This bug was referenced in samba v4-24-test (Release samba-4.24.3): e440829bdd9c9799ac84df703add44f58d2d5c8b e37b4645bd63be3cbba7b3521a1c858c8231a236
This bug was referenced in samba v4-23-test (Release samba-4.23.8): 9ac7c27d30997e180f9c88d93f0f6e76238eb42f 2d7d92ef35e4496d43dd342c621b31f07d93fa71
This bug was referenced in samba v4-22-test (Release samba-4.22.10): 4798eb7aba91f526d3e88d7dbb3fb06923d891e5 4a53add03f1eb5d44deb76d7e171fc638e9ef8d0
This bug was referenced in samba master: 20335fb88aaf628de9d243eb9cb39256c613e994 15fce8ff6141d1d4c5a526f6567b8f0e8bbc4261