CVE-2026-4408 Overview
CVE-2026-4408 is a command injection vulnerability [CWE-78] in Samba file servers and classic domain controllers. The flaw resides in the check password script feature when configured with the %u substitution character. Samba passes the client-controlled username into the shell without escaping shell meta-characters. A remote attacker can supply a crafted username containing shell metacharacters to execute arbitrary commands on the affected host. The issue primarily affects non-standard configurations where the check password script uses %u and the samba-dcerpcd service runs as a system service.
Critical Impact
Remote attackers can achieve unauthenticated command execution on Samba servers that use the check password script directive with the %u placeholder.
Affected Products
- Samba file servers using the check password script feature with %u
- Samba classic domain controllers using the check password script feature with %u
- Systems running samba-dcerpcd as a system service in the above configuration
Discovery Timeline
- 2026-05-28 - CVE-2026-4408 published to the National Vulnerability Database (NVD)
- 2026-05-28 - Last updated in NVD database
Technical Details for CVE-2026-4408
Vulnerability Analysis
The vulnerability is a classic OS command injection issue in Samba's password validation hook. Samba allows administrators to define an external check password script that runs whenever a password change request is received. The %u token in this directive is replaced with the username supplied by the client. Because Samba does not sanitize or escape shell metacharacters before constructing the command line, attacker-supplied characters such as ;, |, `, and $() are interpreted by the shell. The resulting command runs in the security context of the Samba service, which is typically privileged. This produces full remote command execution from a single authentication-related request.
Root Cause
The root cause is unsafe string interpolation of untrusted input into a shell command. Samba substitutes the raw username from the wire into the configured script invocation without using safe argument passing or escaping. The username field is attacker-controlled before authentication completes, so no valid credentials are required to reach the vulnerable code path.
Attack Vector
An attacker connects to the Samba service over the network and initiates a password change or related operation that triggers the check password script hook. The attacker supplies a username containing shell metacharacters and command payloads. When Samba executes the configured script, the shell interprets the injected sequence and runs the attacker's commands. Exploitation requires the target to have the non-default check password script configured with %u and samba-dcerpcd running as a system service.
No verified proof-of-concept code is publicly available. Refer to the Samba Bugzilla Report #16034 and the Red Hat CVE-2026-4408 Advisory for upstream technical detail.
Detection Methods for CVE-2026-4408
Indicators of Compromise
- Unexpected child processes spawned by smbd, samba-dcerpcd, or the configured password script interpreter
- Shell metacharacters such as ;, |, `, $(, or && appearing in username fields within Samba authentication logs
- Outbound network connections originating from the Samba service to unfamiliar hosts shortly after password change requests
Detection Strategies
- Audit smb.conf across the fleet for any check password script directive that contains the %u token
- Enable Samba debug logging at a level that records the resolved command line and review for metacharacter content
- Correlate process execution telemetry with parent process samba-dcerpcd or smbd to identify anomalous shell invocations
Monitoring Recommendations
- Forward Samba and Linux auditd logs to a centralized SIEM or data lake for cross-host correlation
- Alert on any new child process of the Samba daemons that is not the expected password script binary
- Monitor for failed and successful password change RPCs originating from untrusted network segments
How to Mitigate CVE-2026-4408
Immediate Actions Required
- Inventory all Samba hosts and identify any smb.conf containing check password script combined with the %u substitution
- Remove the %u token from the directive or disable the check password script setting until a patched release is deployed
- Restrict network access to smbd and samba-dcerpcd ports to trusted management networks
Patch Information
Consult the Red Hat CVE-2026-4408 Advisory and Red Hat Bugzilla Report #2479762 for distribution-specific patched package versions. Upstream tracking is available in Samba Bugzilla Report #16034. Apply vendor updates as soon as they become available for your platform.
Workarounds
- Remove %u from the check password script directive and pass the username through a wrapper that validates input against an allowlist
- Stop and disable samba-dcerpcd as a system service where it is not required
- Limit Samba password change endpoints to authenticated administrative networks using host-based firewall rules
# Example: locate vulnerable configurations across hosts
grep -RnE '^\s*check password script\s*=.*%u' /etc/samba/ /etc/
# Temporary mitigation: comment out the directive until patched
sudo sed -i 's/^\(\s*check password script\s*=.*%u.*\)/# \1/' /etc/samba/smb.conf
sudo systemctl restart smb nmb samba-dcerpcd
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
