16034 – (CVE-2026-4408) CVE-2026-4408 [SECURITY] Remote Code Execution in SAMR

Bug 16034 (CVE-2026-4408) - CVE-2026-4408 [SECURITY] Remote Code Execution in SAMR

Summary: CVE-2026-4408 [SECURITY] Remote Code Execution in SAMR

Status:	RESOLVED FIXED

Alias:	CVE-2026-4408

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	DCE-RPCs and pipes (show other bugs)
Version:	unspecified
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Samba QA Contact
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:	16018
	Show dependency tree / graph

Reported:	2026-03-17 13:16 UTC by Volker Lendecke
Modified:	2026-05-26 14:14 UTC (History)
CC List:	6 users (show)

See Also:

Attachments
possible fix (1.28 KB, patch) 2026-03-18 11:35 UTC, Volker Lendecke	vl: ci-passed+	Details
Initial advisory, CVE number pending (2.66 KB, text/plain) 2026-03-18 12:51 UTC, Volker Lendecke	no flags	Details
Advisory (2.66 KB, text/plain) 2026-03-19 11:14 UTC, Volker Lendecke	no flags	Details
Patch for 4.21 (1.29 KB, patch) 2026-03-19 11:32 UTC, Volker Lendecke	no flags	Details
Patch for 4.22 (1.29 KB, patch) 2026-03-19 11:33 UTC, Volker Lendecke	no flags	Details
Patch for 4.23 (1.29 KB, patch) 2026-03-19 11:33 UTC, Volker Lendecke	no flags	Details
Patch for 4.24 (1.29 KB, patch) 2026-03-19 11:33 UTC, Volker Lendecke	no flags	Details
Patch for master (1.29 KB, patch) 2026-03-19 11:34 UTC, Volker Lendecke	vl: ci-passed+	Details
Advisory with CVE number and vl credit. (2.75 KB, text/plain) 2026-03-25 03:33 UTC, Douglas Bagnall	no flags	Details
CVE-2026-4408-advisory.txt (3.04 KB, text/plain) 2026-05-12 14:55 UTC, Stefan Metzmacher	no flags	Details
CVE-2026-4408-metze-03-advisory.txt (3.04 KB, text/plain) 2026-05-14 10:59 UTC, Stefan Metzmacher	dbagnall: review+	Details
CVE-2026-4408-metze-04-advisory.txt (3.21 KB, text/plain) 2026-05-15 12:45 UTC, Björn Jacke	bjacke: review+	Details
Show Obsolete (11) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Volker Lendecke 2026-03-17 13:16:02 UTC

Comment 1 Volker Lendecke 2026-03-18 11:35:47 UTC

Created attachment 18904 [details]
possible fix

Comment 2 Volker Lendecke 2026-03-18 12:51:28 UTC

Created attachment 18906 [details]
Initial advisory, CVE number pending

Comment 3 Volker Lendecke 2026-03-19 11:14:28 UTC

Created attachment 18907 [details]
Advisory

Comment 4 Volker Lendecke 2026-03-19 11:32:50 UTC

Created attachment 18908 [details]
Patch for 4.21

Comment 5 Volker Lendecke 2026-03-19 11:33:09 UTC

Created attachment 18909 [details]
Patch for 4.22

Comment 6 Volker Lendecke 2026-03-19 11:33:25 UTC

Created attachment 18910 [details]
Patch for 4.23

Comment 7 Volker Lendecke 2026-03-19 11:33:46 UTC

Created attachment 18911 [details]
Patch for 4.24

Comment 8 Volker Lendecke 2026-03-19 11:34:23 UTC

Created attachment 18912 [details]
Patch for master

I've run a full CI on master only, I've compiled all the other ones.

Comment 9 Douglas Bagnall 2026-03-25 03:33:12 UTC

Created attachment 18914 [details]
Advisory with CVE number and vl credit.

Advisory looks good. I have added the CVE number and an acknowledgement for Volker.

Comment 10 Douglas Bagnall 2026-03-26 02:01:58 UTC

If the username contains spaces or tabs, the script will still get an unexpected number of arguments. Is this going to matter?

Comment 11 Björn Jacke 2026-04-08 16:36:35 UTC

the security release that was scheduled for tomorrow, will be postponed due to
new problems that have been identified with one of the fixes.

We will announce a new release date as soon as possible after the remaining
issues have been ruled out.

Comment 12 Stefan Metzmacher 2026-04-10 16:14:00 UTC

This returns NT_STATUS_INVALID_USER_PRINCIPAL_NAME for valid usernames
e.g with a '-'

Comment 13 Stefan Metzmacher 2026-05-08 22:45:58 UTC

See https://bugzilla.samba.org/attachment.cgi?id=18962 for the current
work in progress patches.

Comment 14 Andrew Bartlett 2026-05-10 01:49:17 UTC

I think STRING_SUB_UNSAFE_CHARACTERS should include &

$ echo foo & bang
[1] 48145
foo
bash: bang: command not found...

[1]+  Done                       echo foo

Is there a definitive list of shell meta-characters?

Comment 15 Andrew Bartlett 2026-05-10 09:30:18 UTC

(In reply to Andrew Bartlett from comment #14)
https://www.gnu.org/software/bash/manual/html_node/Definitions.html#index-control-operator

Comment 16 Michael Tokarev 2026-05-10 10:16:26 UTC

https://www.gnu.org/software/bash/manual/html_node/Definitions.html#index-metacharacter

Comment 17 Stefan Metzmacher 2026-05-12 14:55:06 UTC

Created attachment 18970 [details]
CVE-2026-4408-advisory.txt

The updated advisory.

The current patches are on https://bugzilla.samba.org/show_bug.cgi?id=16033

Comment 18 Stefan Metzmacher 2026-05-12 14:56:34 UTC

(In reply to Andrew Bartlett from comment #14)

STRING_SUB_UNSAFE_CHARACTERS is this at the end:
"$`\"';%|&<>"

Comment 19 Stefan Metzmacher 2026-05-14 10:59:00 UTC

Created attachment 18976 [details]
CVE-2026-4408-metze-03-advisory.txt

change CVE to 10.0 as not privileges are required

Comment 20 Stefan Metzmacher 2026-05-14 10:59:41 UTC

Again the patches are on https://bugzilla.samba.org/show_bug.cgi?id=16033

Comment 21 Martin Schwenke 2026-05-14 11:12:42 UTC

Minor typo: "singles quotes" → "single quotes"

Comment 22 Björn Jacke 2026-05-15 12:45:04 UTC

Created attachment 18986 [details]
CVE-2026-4408-metze-04-advisory.txt

additional fix: nt4 DC wasn't mentioned in the summary

Comment 23 Björn Jacke 2026-05-15 13:02:13 UTC

Scheduled release date is now 2026-05-26.

Comment 24 Stefan Metzmacher 2026-05-26 09:16:31 UTC

I plan to upload the releases in about 3 hours from now...

Comment 25 Samba QA Contact 2026-05-26 12:36:28 UTC

This bug was referenced in samba v4-24-stable (Release samba-4.24.3):

cd547290531955e5d04c7a8e7721d80f3678fad8
4b12c0378ef5f743aa2147294c004f21edb43b98
9e6d67c23199de70a1909610e13cf460b028a031
295b0bb2fadfe090e1f7dfb61c444d127c86edac
13528178b4895f1434a67b32575477a0d57a4c9f
2c463b0f12b300b9e66a4c08cfef31631ce1cc0c
9a60afd3e3146a78a59912402bc870b8d156b26f
aa5a4480353f73d39e40c6ca558c1370c1e567c6
52ed5933c6211c08f1e3a1144ac6b8d3a9ab8261
75f0d818bc64d2e1994bf4ac1b18dcfb1aa96e3a
989346601ef5310a933a0e7fb9cd6f30b2b23803
b74d583da51c68b7197831dbbb734c8d3e82eef1
d65c9dc9a7e49141e54c904e2c744f8c83a79959
89f5dfb04f3dc04489744961725d5ee5e1c9424c
b1d63d6ca1a9b495d6c173009e479194fa8f3e23
fd1b4c1e570e1606dd15c2a4726ba4c626b392b4
19c70403ee0bce296f22cb8dc0b304c75b7dd30a
79b88dc17628cc741594a4a55dc54e270b1d5c25

Comment 26 Samba QA Contact 2026-05-26 12:37:01 UTC

This bug was referenced in samba v4-23-stable (Release samba-4.23.8):

df3455cf6d7e0f678de194941955ee0fde340287
db426990a137db31e6865bf3ae581ea3543c32a5
fd5f6d69409ff1d4f99de9c8f1d2af16bb99971f
b54d65606c84b3da3ba83f53db71a69667402cf0
0c13febc7f40e512356afeea9e03d15de8ffba39
9374f35a1be538f1330b9b6da2248e7a22810983
20ba81c29f97a9a819157b3fb671a222f6ebef46
62d75721bcf2b0f8b3681ed60eaffe7a4c740c3e
20fcc1380b1693b8ce1677dd224a8d556223d213
6f9febc25552091a98b8c0bb9e94b206b1692fe0
9e7b5f0a5687b993fd5a6303c0414a80a206b531
14b16002a126f0384a72f6ddf8be9a1dce68efe5
d1c6fc6e991d0a6080eba00cf5e2b6782578306d
9a77a1c678c6f3d56e957fd57b276c68c9bdaf7c
94133ecf9ccf6bfcc449f443e2d71d62450c05b1
57e21c3478734559cc9af04dae6ce67423c17563
132a5634d44579f71fd2bc9fcd69615cf3239bff
902436a3438de6d8f77cf9b118493921e3d088b5

Comment 27 Samba QA Contact 2026-05-26 12:37:14 UTC

This bug was referenced in samba v4-22-stable (Release samba-4.22.10):

26b64ec55944b375ead223a214c5f4301329511f
76dcb30911c22d92ca79e9034656b691a2d51df4
3032b7efe9d2fd35081ec33d575d01f9ebf6725c
3f24236a5000402de11d973527eb7d28fd30de19
113ba24197ca4e5bd683951f99fa4553a4240e48
c4a93471622e5d7f8e28073029f3ebfbe22b6288
003ff9b49f65d8006330a018da6fe0169a6fdb48
5551dd76e92480625f00765f183d753dcb857894
0cabcbd24cf2eec692b1a9642447e81c97cc90b7
d291377ac1ea515ac064ac00d59e1787db5671d1
ebd4edda32d949e10e531939b7a4e19b2306ff64
6dce1833a5d27f82a9b133601ce7f749f3be08ec
8f28ca0b8abccf30f479133cc78f9a72500ab366
1c5146ddfc736e9d790bd91f3124c6fba6847bb3
67ad724e22f3724d5e07eaa8f25eb527aa417599
266cd3dc063fdb88a0d0468e8d6f85d6abdecc04
65a9ac413b03eefc7a48d5536e54177319ca30e3
640f18d1a642264a9777f933dfaae78db6918a5f

Comment 28 Samba QA Contact 2026-05-26 12:39:17 UTC

This bug was referenced in samba v4-24-test (Release samba-4.24.3):

cd547290531955e5d04c7a8e7721d80f3678fad8
4b12c0378ef5f743aa2147294c004f21edb43b98
9e6d67c23199de70a1909610e13cf460b028a031
295b0bb2fadfe090e1f7dfb61c444d127c86edac
13528178b4895f1434a67b32575477a0d57a4c9f
2c463b0f12b300b9e66a4c08cfef31631ce1cc0c
9a60afd3e3146a78a59912402bc870b8d156b26f
aa5a4480353f73d39e40c6ca558c1370c1e567c6
52ed5933c6211c08f1e3a1144ac6b8d3a9ab8261
75f0d818bc64d2e1994bf4ac1b18dcfb1aa96e3a
989346601ef5310a933a0e7fb9cd6f30b2b23803
b74d583da51c68b7197831dbbb734c8d3e82eef1
d65c9dc9a7e49141e54c904e2c744f8c83a79959
89f5dfb04f3dc04489744961725d5ee5e1c9424c
b1d63d6ca1a9b495d6c173009e479194fa8f3e23
fd1b4c1e570e1606dd15c2a4726ba4c626b392b4
19c70403ee0bce296f22cb8dc0b304c75b7dd30a
79b88dc17628cc741594a4a55dc54e270b1d5c25

Comment 29 Samba QA Contact 2026-05-26 12:40:08 UTC

This bug was referenced in samba v4-23-test (Release samba-4.23.8):

df3455cf6d7e0f678de194941955ee0fde340287
db426990a137db31e6865bf3ae581ea3543c32a5
fd5f6d69409ff1d4f99de9c8f1d2af16bb99971f
b54d65606c84b3da3ba83f53db71a69667402cf0
0c13febc7f40e512356afeea9e03d15de8ffba39
9374f35a1be538f1330b9b6da2248e7a22810983
20ba81c29f97a9a819157b3fb671a222f6ebef46
62d75721bcf2b0f8b3681ed60eaffe7a4c740c3e
20fcc1380b1693b8ce1677dd224a8d556223d213
6f9febc25552091a98b8c0bb9e94b206b1692fe0
9e7b5f0a5687b993fd5a6303c0414a80a206b531
14b16002a126f0384a72f6ddf8be9a1dce68efe5
d1c6fc6e991d0a6080eba00cf5e2b6782578306d
9a77a1c678c6f3d56e957fd57b276c68c9bdaf7c
94133ecf9ccf6bfcc449f443e2d71d62450c05b1
57e21c3478734559cc9af04dae6ce67423c17563
132a5634d44579f71fd2bc9fcd69615cf3239bff
902436a3438de6d8f77cf9b118493921e3d088b5

Comment 30 Samba QA Contact 2026-05-26 12:41:00 UTC

This bug was referenced in samba v4-22-test (Release samba-4.22.10):

26b64ec55944b375ead223a214c5f4301329511f
76dcb30911c22d92ca79e9034656b691a2d51df4
3032b7efe9d2fd35081ec33d575d01f9ebf6725c
3f24236a5000402de11d973527eb7d28fd30de19
113ba24197ca4e5bd683951f99fa4553a4240e48
c4a93471622e5d7f8e28073029f3ebfbe22b6288
003ff9b49f65d8006330a018da6fe0169a6fdb48
5551dd76e92480625f00765f183d753dcb857894
0cabcbd24cf2eec692b1a9642447e81c97cc90b7
d291377ac1ea515ac064ac00d59e1787db5671d1
ebd4edda32d949e10e531939b7a4e19b2306ff64
6dce1833a5d27f82a9b133601ce7f749f3be08ec
8f28ca0b8abccf30f479133cc78f9a72500ab366
1c5146ddfc736e9d790bd91f3124c6fba6847bb3
67ad724e22f3724d5e07eaa8f25eb527aa417599
266cd3dc063fdb88a0d0468e8d6f85d6abdecc04
65a9ac413b03eefc7a48d5536e54177319ca30e3
640f18d1a642264a9777f933dfaae78db6918a5f

Comment 31 Samba QA Contact 2026-05-26 13:55:46 UTC

This bug was referenced in samba master:

45431b969e1831d75ca2d16c916fa5f374af8490
93c98023f51db8c2d2db306030f6bc25a88677fd
bd05bcd18a0c6234d9dfe39b1811b80110597aac
094852887ae6825fe18715133d272a445978bfa4
73231db51394399861394966e31e91e461954320
f6a9447df1c4e5018539ed847427921e8830517c
82900145139730249fe8f585a242e7dff8bf3e66
c51b42fae63ec6466c4736cdc9ddbd55782614bb
88c45db50d2289afd750ca25f2acf9ed4ceb9819
c610d8c6b1ef0e9871077eb40e79c5e1ed610a5a
b6fe311a6ac46bb6cd3af6fdfb5b21c7397069d5
9910bbfc09ba35cf4ea82ff92a9f94de9f5bc862
e6c532fbd577ad01ce39f6480afcea627c68b196
23bc9e264e253c951e5e2e85cd7d8659e3c46560
a54ef87bcdb36b53b8cb04c2cf3ddf2c9e559ce6
288b82f7da96d2362e14582e8b090e926289b2ba
a4b214e799b74124f186c7da22e085d43e604cec
2d699a70083047c722d3b307a01aa473431ed7c3