Critical Samba Vulnerability (CVE-2026-4480) Enables Unauthenticated Remote Code Execution
A severe vulnerability in Samba’s printing subsystem, tracked as CVE-2026-4480, has been disclosed, allowing unauthenticated attackers to execute arbitrary code remotely on affected systems. The flaw, assigned a CVSS score of 10.0, ranks among the most critical due to its ease of exploitation and potential impact.
Samba, a widely used open-source software for file and print services in Linux and Unix environments, is vulnerable when configured with a "print command" that includes the %J substitution parameter. This parameter passes user-controlled print job descriptions directly into shell commands without proper sanitization, enabling attackers to inject malicious commands via crafted print jobs.
The vulnerability stems from Samba’s failure to escape shell meta characters in the %J variable. Since many Samba deployments permit guest users to submit print jobs by default, exploitation requires no authentication, broadening the attack surface. However, systems using "printing = cups" or "printing = iprint" are unaffected, as are those that exclude the %J parameter from their configuration.
Security researchers from SafeBreach, ZeroPath, and Securin Labs independently reported the flaw. The Samba Team has released patches in versions 4.22.10, 4.23.8, and 4.24.3. Temporary mitigations include enclosing the %J parameter in single quotes (‘%J’) or removing it entirely from the smb.conf file, though patching remains the most secure solution.
The flaw poses significant risks to enterprise environments, particularly those relying on legacy Samba configurations or exposed print services. Successful exploitation could grant attackers full system control, facilitating data breaches, lateral movement, or ransomware deployment. Organizations are advised to audit configurations, restrict guest access, and monitor for suspicious print job activity.
Given its critical severity and low complexity of exploitation, CVE-2026-4480 demands immediate attention from administrators managing Samba deployments. The incident underscores the persistent threat of command injection vulnerabilities in network-exposed services.
Source: https://cybersecuritynews.com/samba-rce-vulnerability/
Samba Team TPRM report: https://www.rankiteo.com/company/samba-team
"id": "sam1780043277",
"linkid": "samba-team",
"type": "Vulnerability",
"date": "5/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Enterprises using Samba with '
'vulnerable print configurations',
'industry': 'Open-Source Software',
'name': 'Samba',
'type': 'Software'}],
'attack_vector': 'Remote',
'description': 'A severe vulnerability in Samba’s printing subsystem, tracked '
'as CVE-2026-4480, has been disclosed, allowing '
'unauthenticated attackers to execute arbitrary code remotely '
'on affected systems. The flaw stems from Samba’s failure to '
'escape shell meta characters in the %J variable used in print '
'commands, enabling command injection via crafted print jobs. '
"Systems using 'printing = cups' or 'printing = iprint' or "
'those excluding the %J parameter are unaffected.',
'impact': {'operational_impact': 'Full system control, potential lateral '
'movement, ransomware deployment',
'systems_affected': 'Samba deployments with print command '
'configurations using %J parameter'},
'lessons_learned': 'Persistent threat of command injection vulnerabilities in '
'network-exposed services; importance of input '
'sanitization and configuration audits.',
'post_incident_analysis': {'corrective_actions': 'Input sanitization, '
'configuration hardening, '
'patch management',
'root_causes': 'Failure to escape shell meta '
'characters in %J parameter in '
'Samba’s print command'},
'recommendations': ['Audit Samba configurations for vulnerable print command '
'settings',
'Restrict guest access to print services',
'Apply patches immediately (Samba versions 4.22.10, '
'4.23.8, 4.24.3)',
'Monitor for suspicious print job activity'],
'references': [{'source': 'SafeBreach, ZeroPath, Securin Labs'}],
'response': {'containment_measures': 'Enclose %J parameter in single quotes '
"('%J') or remove it from smb.conf",
'enhanced_monitoring': 'Monitor for suspicious print job '
'activity',
'remediation_measures': 'Apply patches (Samba versions 4.22.10, '
'4.23.8, 4.24.3)'},
'title': 'Critical Samba Vulnerability (CVE-2026-4480) Enables '
'Unauthenticated Remote Code Execution',
'type': 'Vulnerability Exploitation',
'vulnerability_exploited': 'CVE-2026-4480'}