PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-4408 Red Hat CVE debrief

A critical vulnerability in Samba's 'check password script' feature allows remote command execution when the %u username substitution is used without proper shell meta-character escaping. The flaw affects non-standard configurations where this script is enabled with %u and samba-dcerpcd runs as a system service. An unauthenticated remote attacker can inject shell commands through a crafted username, achieving full system compromise. The CVSS 3.1 score of 9.0 reflects network attack vector, high attack complexity, no privileges required, no user interaction, and high impact across confidentiality, integrity, and availability with scope change. This vulnerability was disclosed on May 28, 2026 and is classified as CWE-78 (OS Command Injection).

Vendor
Red Hat
Product
Red Hat Enterprise Linux 10
CVSS
CRITICAL 9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-28
Original CVE updated
2026-05-28
Advisory published
2026-05-28
Advisory updated
2026-05-28

Who should care

Organizations running Samba file servers or classic domain controllers with custom password validation scripts. Security teams managing legacy Windows-compatible infrastructure on Linux/Unix systems. Administrators who have enabled 'check password script' for password policy enforcement in non-Active Directory environments.

Technical summary

The vulnerability exists in Samba's 'check password script' configuration option, which allows administrators to specify an external program for password validation. When this script includes the %u substitution variable for username, Samba passes the client-supplied username directly to the shell without adequate sanitization. An attacker can embed shell metacharacters (such as backticks, semicolons, pipes, or command substitution syntax) within the username field to execute arbitrary commands on the server. The attack requires the samba-dcerpcd service to run as a system service rather than under the smbd process, which is a non-default but supported deployment configuration. Successful exploitation grants remote command execution with the privileges of the Samba service account.

Defensive priority

critical

Recommended defensive actions

  • Audit Samba configurations for 'check password script' parameter usage and remove or disable if present
  • Review smb.conf for %u substitution in any password check scripts and eliminate this pattern
  • Restrict network access to Samba services using host-based firewalls until patching is complete
  • Monitor authentication logs for anomalous username patterns containing shell meta-characters
  • Apply vendor security updates when available from distribution maintainers
  • Consider migrating password policy enforcement to directory services rather than custom scripts

Evidence notes

Vulnerability description sourced from NVD record with CVSS 3.1 vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H. Weakness classification CWE-78 confirmed by Red Hat security advisory source. Affected component identified as Samba 'check password script' with %u substitution. Attack vector requires non-standard configuration with samba-dcerpcd as system service.

Official resources

2026-05-28