CVE-2026-2340 Red Hat CVE debrief

Who should care

Organizations using Samba's vfs_worm module for compliance storage, archival systems, or regulatory WORM requirements; security teams responsible for data integrity controls; and administrators of Samba-based NAS or file server infrastructure.

Technical summary

The vfs_worm module in Samba provides write-once, read-many functionality by preventing modifications to files after a grace period. The vulnerability exists because rename operations are not properly validated against WORM protection status. An authenticated attacker with write access can create a new file and rename it over an existing WORM-protected file, effectively replacing protected content. This represents a logic flaw in access control enforcement where the rename code path bypasses the modification checks that would normally block write operations on protected files.

Defensive priority

medium

Recommended defensive actions

• Review Samba share configurations using the vfs_worm module and assess exposure of WORM-protected data
• Monitor for and apply vendor-provided patches for Samba when available
• Implement file system-level immutability flags (e.g., chattr +i on Linux) as a compensating control for critical WORM data
• Audit file rename operations on WORM-protected shares for anomalous patterns
• Restrict write access to Samba shares to only essential authenticated users
• Consider network segmentation to limit access to Samba servers hosting WORM-protected data

Evidence notes

The vulnerability description is sourced from the official CVE record and NVD entry. The affected component is explicitly identified as Samba's vfs_worm module. The attack vector involves authenticated rename operations against WORM-protected files. CVSS 3.1 vector confirms network attack vector, low attack complexity, and low privileges required.

Official resources