CVE-2026-4480: Critical Samba RCE Flaw Scores Perfect 10.0

A maximum-severity, unauthenticated Remote Code Execution (RCE) vulnerability has been disclosed in the Samba printing subsystem, tracked as CVE-2026-4480.

With a perfect CVSS 3.1 score of 10.0 and no authentication required, this flaw is among the most dangerous vulnerabilities ever assigned to the widely deployed open-source SMB/CIFS server software.

Organizations running Samba print servers in enterprise, government, and educational environments must treat this as a zero-tolerance, patch-immediately incident.

CVE-2026-4480 is an OS Command Injection vulnerability (CWE-78) residing in Samba’s print command  Samba passes a client-controlled job description string to the shell command defined in the print command setting using the %J substitution character without sanitizing or escaping shell metacharacters in that string.

This means a remote attacker can craft a malicious print job whose description field contains shell metacharacters (;, |, $(), backticks, etc.) that the operating system then interprets as commands.

Because Samba print servers allow guest (unauthenticated) users to print by default, no credentials, account access, or prior foothold are needed to trigger the exploit. 

The vulnerability was independently discovered and reported by Ron Ben Yizhak of SafeBreach, John Walker of ZeroPath, and Arjun Basnet of Securin Labs, three separate research teams converging on the same critical flaw, underscoring how exploitable the attack surface truly is.

The attack chain is deceptively simple and highly reliable:

1. Attacker submits a print job to the Samba server (unauthenticated, via guest access enabled by default)
2. A malicious job description contains unescaped shell metacharacters (e.g., ; malicious_command #)
3. Samba invokes the print command with %J substituted directly into the shell string, unsanitized
4. The OS shell executes the attacker-controlled payload with the privileges of the Samba process (often root or a highly privileged user)
5. Full system compromise arbitrary command execution, data exfiltration, ransomware deployment, or lateral movement

The CVSS 3.1 vector string AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H confirms all six attack dimensions are at their worst: network-accessible, low complexity, no privileges required, no user interaction, scope changed, and complete C/I/A impact.

This places CVE-2026-4480 among a small, elite class of “perfect 10” vulnerabilities comparable in severity to the infamous EternalBlue (MS17-010) SMB flaw.

Not every Samba deployment is vulnerable. The table below clarifies the scope:

All Samba versions are affected when the vulnerable configuration is present. The Samba team confirmed that using CUPS or iPrint backends, which handle job submission differently, are not susceptible to this specific attack vector.

Patched Versions & Immediate Remediation

The Samba development team has issued security releases to correct CVE-2026-4480. Patches and updated binaries have been posted to the official Samba security portal at samba.org/samba/security.

Upgrade to one of the following fixed releases:

• Samba 4.22.10
• Samba 4.23.8
• Samba 4.24.3

If an immediate upgrade is not possible, apply these workarounds in smb.conf:

• Option 1 (Preferred): Remove %J entirely from the print command directive
• Option 2 (Partial mitigation): Wrap %J in single quotes, e.g., '%J' to reduce (but not eliminate) injection risk. Note: double quotes are insufficient
• Option 3: Disable guest printing by setting guest ok = no in all [printers] shares to eliminate unauthenticated access
• Option 4: Restrict SMB port access (TCP 139, 445) at the firewall to trusted networks only

Patches were developed by Stefan Metzmacher and Douglas Bagnall of the Samba team, with the advisory authored by Volker Lendecke and Stefan Metzmacher of Sernet.

Samba is a foundational component in Linux/Unix-based file and print sharing infrastructure, deployed across hundreds of thousands of enterprise networks, NAS devices, embedded systems, and cloud-hosted file servers globally.

Unlike browser or desktop vulnerabilities that require user interaction, this flaw is fully remote and automated, ideal for wormable exploits, ransomware deployment scripts, and APT lateral movement toolkits.

Security teams should immediately audit smb.conf files across all environments for the presence of %J in any print command setting. Red Hat has filed this under Bugzilla ID2452232, and the flaw is tracked in the Samba bug tracker under ID 16033.

Given that CVE-2026-4480 and its companion flaw CVE-2026-4408 (also CVSS 10.0) were disclosed simultaneously, defenders should treat this as a coordinated, high-pressure patching event.

FAQ

Q1: Does CVE-2026-4480 affect Samba servers using CUPS for printing?
No, print servers configured with printing = cups or printing = iprint are explicitly not affected by this vulnerability.

Q2: Do attackers need valid credentials to exploit CVE-2026-4480?
No, Samba print servers allow guest users to print by default, making this vulnerability fully exploitable without any authentication.

Q3: Is partial mitigation available if immediate upgrading is not feasible?
Yes, wrapping %J in single quotes ('%J') reduces exploitation risk, but the safest workaround is removing %J entirely from the print command in smb.conf.

Q4: Which fixed Samba releases address CVE-2026-4480?
The patched versions are Samba 4.22.10, 4.23.8, and 4.24.3, available from samba.org/samba/security.

Site: thecybrdef.com

For more insights and updates, follow us on Google News, Twitter, and LinkedIn.

About the Author

John

Author

John is an independent cybersecurity researcher covering vulnerabilities, malware campaigns, and emerging threats in the cybersecurity landscape.

Visit Website View All Posts