16033 – (CVE-2026-4480) CVE-2026-4480 [SECURITY] Unauthenticated Remote Code Execution

Bug 16033 (CVE-2026-4480) - CVE-2026-4480 [SECURITY] Unauthenticated Remote Code Execution

Summary: CVE-2026-4480 [SECURITY] Unauthenticated Remote Code Execution

Status:	RESOLVED FIXED

Alias:	CVE-2026-4480

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	Printing (show other bugs)
Version:	unspecified
Hardware:	All All

Importance:	P5 critical (vote)
Target Milestone:	---
Assignee:	printing-maintainers
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:	16018
	Show dependency tree / graph

Reported:	2026-03-15 18:18 UTC by Volker Lendecke
Modified:	2026-05-26 14:13 UTC (History)
CC List:	9 users (show)

See Also:

Attachments
Potential fix (1.45 KB, patch) 2026-03-15 19:05 UTC, Volker Lendecke	vl: ci-passed+	Details
Initial advisory, CVE number pending (1.70 KB, text/plain) 2026-03-18 12:31 UTC, Volker Lendecke	dbagnall: review+	Details
Patch for 4.21 (1.46 KB, patch) 2026-03-25 08:33 UTC, Volker Lendecke	no flags	Details
Patch for 4.22 (1.46 KB, patch) 2026-03-25 08:33 UTC, Volker Lendecke	no flags	Details
Patch for 4.23 (1.46 KB, patch) 2026-03-25 08:34 UTC, Volker Lendecke	no flags	Details
Patch for 4.24 (1.46 KB, patch) 2026-03-25 08:35 UTC, Volker Lendecke	no flags	Details
Patch for master (1.46 KB, patch) 2026-03-25 08:37 UTC, Volker Lendecke	vl: ci-passed+	Details
patch that prevents splitting of job names into many arguments (8.06 KB, patch) 2026-03-26 01:57 UTC, Douglas Bagnall	metze: review-	Details
Work in progress (fails autobuild) for CVE-2026-4480/CVE-2026-4408 (50.32 KB, text/plain) 2026-05-08 22:42 UTC, Stefan Metzmacher	no flags	Details
Work in progress for CVE-2026-4480/CVE-2026-4408 (81.23 KB, text/plain) 2026-05-12 14:51 UTC, Stefan Metzmacher	metze: ci-passed+	Details
CVE-2026-4480-metze-03-advisory.txt (2.30 KB, text/plain) 2026-05-12 14:53 UTC, Stefan Metzmacher	dbagnall: review+	Details
CVE-2026-4480-CVE-2026-4408-metze-03-master.txt (83.48 KB, text/plain) 2026-05-14 10:29 UTC, Stefan Metzmacher	dbagnall: review+ metze: ci-passed+	Details
CVE-2026-4480-CVE-2026-4408-metze-03-v4-24.txt (83.47 KB, text/plain) 2026-05-14 10:30 UTC, Stefan Metzmacher	dbagnall: review+ metze: ci-passed+	Details
CVE-2026-4480-CVE-2026-4408-metze-03-v4-23.txt (83.47 KB, text/plain) 2026-05-14 10:31 UTC, Stefan Metzmacher	dbagnall: review+ metze: ci-passed+	Details
CVE-2026-4480-CVE-2026-4408-metze-03-v4-22.txt (83.54 KB, text/plain) 2026-05-14 10:31 UTC, Stefan Metzmacher	dbagnall: review+ metze: ci-passed+	Details
Show Obsolete (10) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Volker Lendecke 2026-03-15 18:18:00 UTC

Comment 1 Volker Lendecke 2026-03-15 19:05:28 UTC

Created attachment 18903 [details]
Potential fix

Comment 2 Volker Lendecke 2026-03-18 12:31:48 UTC

Created attachment 18905 [details]
Initial advisory, CVE number pending

Comment 3 Douglas Bagnall 2026-03-22 02:53:01 UTC

It looks like we just missed this one in the CVE-2007-2447 fixes.

bug 13745 would have briefly protected some versions by breaking things differently.

Comment 4 Volker Lendecke 2026-03-25 08:33:22 UTC

Created attachment 18915 [details]
Patch for 4.21

Comment 5 Volker Lendecke 2026-03-25 08:33:50 UTC

Created attachment 18916 [details]
Patch for 4.22

Comment 6 Volker Lendecke 2026-03-25 08:34:45 UTC

Created attachment 18917 [details]
Patch for 4.23

Comment 7 Volker Lendecke 2026-03-25 08:35:34 UTC

Created attachment 18918 [details]
Patch for 4.24

Comment 8 Volker Lendecke 2026-03-25 08:37:45 UTC

Created attachment 18919 [details]
Patch for master

Master has run CI, the others were built

Comment 9 Douglas Bagnall 2026-03-26 01:57:05 UTC

Created attachment 18925 [details]
patch that prevents splitting of job names into many arguments

Actually maybe we need something like this.

Otherwise if a user offers a job name of "foo bar bash", the command becomes e.g. "lp -c foo bar bash" when we want "lp -c 'foo bar bash'".

I don't know much about likely print command strings, but it seems plausible that there might be cases where extra arguments can cause confusion.

With this new function we don't strictly need to retain the `talloc_string_sub(ctx, pjob->jobname, "'", "_")`, but I prefer that we do.

Comment 10 Björn Jacke 2026-04-08 16:35:58 UTC

the security release that was scheduled for tomorrow, will be postponed due to
new problems that have been identified with one of the fixes.

We will announce a new release date as soon as possible after the remaining
issues have been ruled out.

Comment 11 Stefan Metzmacher 2026-04-09 13:53:13 UTC

Comment on attachment 18925 [details]
patch that prevents splitting of job names into many arguments

(In reply to Douglas Bagnall from comment #9)

This doesn't prevent the attack at all:

python3 samba_rce.py -s 127.0.0.1 -u "" -p "" -r pbug01 -c "| touch /tmp/bar6"

creates /tmp/bar6_ because print_run_command() calls talloc_string_sub
multiple times and that converts ' to _ via remove_unsafe_characters=true
to talloc_string_sub2.

Comment 12 Douglas Bagnall 2026-04-09 21:53:17 UTC

(In reply to Stefan Metzmacher from comment #11)
Right. My opinion is that Volker's fix is good enough for the security release.

It is a much smaller problem that the job name becomes multiple arguments.

Comment 13 Stefan Metzmacher 2026-04-10 11:30:53 UTC

(In reply to Douglas Bagnall from comment #12)

Yes, for the given printer command it works.

But imagine a bash script that passes the argument along to
another command.

Or the command actually takes cmdline arguments to alter
the behavior something similar to the '--exec' argument of git rebase.
Or something like '--rm-files'.

I'm wondering if remove_unsafe_characters=true in
talloc_string_sub2 should also remove '|' and '&',
but I don't know if that would cause any other
problem in a valid case.

And for the jobname it would feel better if we would also
replace '/' and '\\'. And maybe also whitespaces
as well as a leading '-'.

Comment 14 Stefan Metzmacher 2026-04-10 11:49:50 UTC

(In reply to Stefan Metzmacher from comment #13)

MS-RPRN 2.2.1.4 DOC_INFO_1 says 

pDocName: An optional pointer to a string that provides the name of the document. If this member is
NULL, the print server SHOULD use an implementation-specific default job name.<22>

<22> Section 2.2.1.4: In Windows the default job name is "No Document Name".

Maybe we could use some thing like we have for 
CVE-2026-4408: samr-server: Deny usernames with shell meta-chars

It uses escape_shell_string() and compares that the result
is exactly the input name.

Maybe we can use it here too and fallback to
'InvalidDocumentName' instead of using the client value?

Comment 15 Douglas Bagnall 2026-04-10 19:59:42 UTC

(In reply to Stefan Metzmacher from comment #14)
> Maybe we can use it here too and fallback to
> 'InvalidDocumentName' instead of using the client value?

yes.

If having all the document names the same is confusing, we can later switch to  'Document_2026_04_11_14:15:16' or similar.

Comment 16 Stefan Metzmacher 2026-04-10 20:01:25 UTC

(In reply to Douglas Bagnall from comment #15)

The thing is that even '-' in the jobname will trigger this,
see the comment on the SAMR patch :-(

Comment 17 Douglas Bagnall 2026-04-10 20:42:54 UTC

(In reply to Stefan Metzmacher from comment #13)
I have a growing wish that we could make smbrun() split the string on (unquoted) whitespace, do the substitution in each segment, then execl directly without 'sh -c'.  That would of course break commands using '&&' and such and people would have to put those commands in a separate script. The execed script can deal with it better, using double quotes like "$1".

But I think the comment 14 solution is best for now.

Comment 18 Douglas Bagnall 2026-04-10 20:43:53 UTC

(In reply to Stefan Metzmacher from comment #16)
I guess we need a new function then.

Comment 19 Stefan Metzmacher 2026-05-08 22:42:10 UTC

Created attachment 18962 [details]
Work in progress (fails autobuild) for CVE-2026-4480/CVE-2026-4408

This is what Douglas and I have been working on in the last days.

This is not really tested in this form, only pre-versions of it.
But you get the idea.

Comment 21 Stefan Metzmacher 2026-05-12 14:51:44 UTC

Created attachment 18968 [details]
Work in progress for CVE-2026-4480/CVE-2026-4408

From my side this is ok and passed a private autobuild and manual tests.

Once Douglas is ok with his signed-of-by and reviewed it,
we can do the backporting.

Comment 22 Stefan Metzmacher 2026-05-12 14:53:09 UTC

Created attachment 18969 [details]
CVE-2026-4480-metze-03-advisory.txt

Comment 23 Andrew Bartlett 2026-05-12 20:20:32 UTC

Comment on attachment 18968 [details]
Work in progress for CVE-2026-4480/CVE-2026-4408

I came to check that my comment on & had been acted on, and I'm glad to see it has, and then read over the full patch.  While not a full review, I wanted to say a big thanks for all the work done here, this is an impressive patch!

Comment 24 Stefan Metzmacher 2026-05-14 10:29:34 UTC

Created attachment 18972 [details]
CVE-2026-4480-CVE-2026-4408-metze-03-master.txt

Comment 25 Stefan Metzmacher 2026-05-14 10:30:14 UTC

Created attachment 18973 [details]
CVE-2026-4480-CVE-2026-4408-metze-03-v4-24.txt

Comment 26 Stefan Metzmacher 2026-05-14 10:31:01 UTC

Created attachment 18974 [details]
CVE-2026-4480-CVE-2026-4408-metze-03-v4-23.txt

Comment 27 Stefan Metzmacher 2026-05-14 10:31:44 UTC

Created attachment 18975 [details]
CVE-2026-4480-CVE-2026-4408-metze-03-v4-22.txt

Comment 28 Stefan Metzmacher 2026-05-14 10:57:11 UTC

Comment on attachment 18969 [details]
CVE-2026-4480-metze-03-advisory.txt

Make clear the advisory reflects the metze-03 patchsets.

Comment 29 Björn Jacke 2026-05-15 13:01:47 UTC

Scheduled release date is now 2026-05-26.

Comment 30 Stefan Metzmacher 2026-05-26 09:16:15 UTC

I plan to upload the releases in about 3 hours from now...

Comment 31 Samba QA Contact 2026-05-26 12:35:56 UTC

This bug was referenced in samba v4-24-stable (Release samba-4.24.3):

cd547290531955e5d04c7a8e7721d80f3678fad8
4b12c0378ef5f743aa2147294c004f21edb43b98
9e6d67c23199de70a1909610e13cf460b028a031
295b0bb2fadfe090e1f7dfb61c444d127c86edac
13528178b4895f1434a67b32575477a0d57a4c9f
2c463b0f12b300b9e66a4c08cfef31631ce1cc0c
9a60afd3e3146a78a59912402bc870b8d156b26f
aa5a4480353f73d39e40c6ca558c1370c1e567c6
52ed5933c6211c08f1e3a1144ac6b8d3a9ab8261
75f0d818bc64d2e1994bf4ac1b18dcfb1aa96e3a
989346601ef5310a933a0e7fb9cd6f30b2b23803
b455a940b5b677af3d24bbf465bc3514936a86b2
0875a39ebd8529d582d3b2d1463a403024ed105f
468fe799a4ab97b88df127cf01f39d11f5626afa

Comment 32 Samba QA Contact 2026-05-26 12:36:44 UTC

This bug was referenced in samba v4-23-stable (Release samba-4.23.8):

df3455cf6d7e0f678de194941955ee0fde340287
db426990a137db31e6865bf3ae581ea3543c32a5
fd5f6d69409ff1d4f99de9c8f1d2af16bb99971f
b54d65606c84b3da3ba83f53db71a69667402cf0
0c13febc7f40e512356afeea9e03d15de8ffba39
9374f35a1be538f1330b9b6da2248e7a22810983
20ba81c29f97a9a819157b3fb671a222f6ebef46
62d75721bcf2b0f8b3681ed60eaffe7a4c740c3e
20fcc1380b1693b8ce1677dd224a8d556223d213
6f9febc25552091a98b8c0bb9e94b206b1692fe0
9e7b5f0a5687b993fd5a6303c0414a80a206b531
2531aac7a30e0d87cbca9b5052fa35adaff7323f
3d2384d78f80cc7ebb04ce160df9d382538a41c8
c6729f4b0284c5906fb5747a01ba79e0a83c6706

Comment 33 Samba QA Contact 2026-05-26 12:36:50 UTC

This bug was referenced in samba v4-22-stable (Release samba-4.22.10):

26b64ec55944b375ead223a214c5f4301329511f
76dcb30911c22d92ca79e9034656b691a2d51df4
3032b7efe9d2fd35081ec33d575d01f9ebf6725c
3f24236a5000402de11d973527eb7d28fd30de19
113ba24197ca4e5bd683951f99fa4553a4240e48
c4a93471622e5d7f8e28073029f3ebfbe22b6288
003ff9b49f65d8006330a018da6fe0169a6fdb48
5551dd76e92480625f00765f183d753dcb857894
0cabcbd24cf2eec692b1a9642447e81c97cc90b7
d291377ac1ea515ac064ac00d59e1787db5671d1
ebd4edda32d949e10e531939b7a4e19b2306ff64
31449816464f07cd2ef156a96e68c604f36b2164
02356117b73f0e4e1063860d99cb892e6d6ce7f0
8ea1a94c95330ee64f5b0ab20d4fee453e367218

Comment 34 Samba QA Contact 2026-05-26 12:39:09 UTC

This bug was referenced in samba v4-24-test (Release samba-4.24.3):

cd547290531955e5d04c7a8e7721d80f3678fad8
4b12c0378ef5f743aa2147294c004f21edb43b98
9e6d67c23199de70a1909610e13cf460b028a031
295b0bb2fadfe090e1f7dfb61c444d127c86edac
13528178b4895f1434a67b32575477a0d57a4c9f
2c463b0f12b300b9e66a4c08cfef31631ce1cc0c
9a60afd3e3146a78a59912402bc870b8d156b26f
aa5a4480353f73d39e40c6ca558c1370c1e567c6
52ed5933c6211c08f1e3a1144ac6b8d3a9ab8261
75f0d818bc64d2e1994bf4ac1b18dcfb1aa96e3a
989346601ef5310a933a0e7fb9cd6f30b2b23803
b455a940b5b677af3d24bbf465bc3514936a86b2
0875a39ebd8529d582d3b2d1463a403024ed105f
468fe799a4ab97b88df127cf01f39d11f5626afa

Comment 35 Samba QA Contact 2026-05-26 12:39:59 UTC

This bug was referenced in samba v4-23-test (Release samba-4.23.8):

df3455cf6d7e0f678de194941955ee0fde340287
db426990a137db31e6865bf3ae581ea3543c32a5
fd5f6d69409ff1d4f99de9c8f1d2af16bb99971f
b54d65606c84b3da3ba83f53db71a69667402cf0
0c13febc7f40e512356afeea9e03d15de8ffba39
9374f35a1be538f1330b9b6da2248e7a22810983
20ba81c29f97a9a819157b3fb671a222f6ebef46
62d75721bcf2b0f8b3681ed60eaffe7a4c740c3e
20fcc1380b1693b8ce1677dd224a8d556223d213
6f9febc25552091a98b8c0bb9e94b206b1692fe0
9e7b5f0a5687b993fd5a6303c0414a80a206b531
2531aac7a30e0d87cbca9b5052fa35adaff7323f
3d2384d78f80cc7ebb04ce160df9d382538a41c8
c6729f4b0284c5906fb5747a01ba79e0a83c6706

Comment 36 Samba QA Contact 2026-05-26 12:40:44 UTC

This bug was referenced in samba v4-22-test (Release samba-4.22.10):

26b64ec55944b375ead223a214c5f4301329511f
76dcb30911c22d92ca79e9034656b691a2d51df4
3032b7efe9d2fd35081ec33d575d01f9ebf6725c
3f24236a5000402de11d973527eb7d28fd30de19
113ba24197ca4e5bd683951f99fa4553a4240e48
c4a93471622e5d7f8e28073029f3ebfbe22b6288
003ff9b49f65d8006330a018da6fe0169a6fdb48
5551dd76e92480625f00765f183d753dcb857894
0cabcbd24cf2eec692b1a9642447e81c97cc90b7
d291377ac1ea515ac064ac00d59e1787db5671d1
ebd4edda32d949e10e531939b7a4e19b2306ff64
31449816464f07cd2ef156a96e68c604f36b2164
02356117b73f0e4e1063860d99cb892e6d6ce7f0
8ea1a94c95330ee64f5b0ab20d4fee453e367218

Comment 37 Samba QA Contact 2026-05-26 13:55:38 UTC

This bug was referenced in samba master:

45431b969e1831d75ca2d16c916fa5f374af8490
93c98023f51db8c2d2db306030f6bc25a88677fd
bd05bcd18a0c6234d9dfe39b1811b80110597aac
094852887ae6825fe18715133d272a445978bfa4
73231db51394399861394966e31e91e461954320
f6a9447df1c4e5018539ed847427921e8830517c
82900145139730249fe8f585a242e7dff8bf3e66
c51b42fae63ec6466c4736cdc9ddbd55782614bb
88c45db50d2289afd750ca25f2acf9ed4ceb9819
c610d8c6b1ef0e9871077eb40e79c5e1ed610a5a
b6fe311a6ac46bb6cd3af6fdfb5b21c7397069d5
b80131fcf582ecc8e8c1b97e6051bb324bb8bef8
c6ecded7002c112ffd239e6082ab37e8eb7a4ff5
5288e3f8469c0103c5a32d59bb7962a3a7f0c2bf