PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-4480 Red Hat CVE debrief

A command injection vulnerability exists in Samba's printing subsystem. The flaw occurs when Samba passes client-controlled print job description strings to the configured print command via the `%J` substitution character without proper shell escaping. A remote attacker with low privileges can exploit this by submitting a specially crafted print job containing shell metacharacters, potentially achieving remote code execution on the affected system. The vulnerability is classified as CWE-78 (OS Command Injection) and carries a HIGH severity CVSS 3.1 score of 8.5. The CVE was published on 2026-05-26 and subsequently modified the same day. The issue is tracked in both Red Hat Bugzilla (2452232) and Samba Bugzilla (16033). No known exploitation in ransomware campaigns has been reported, and the vulnerability is not listed in CISA KEV.

Vendor
Red Hat
Product
Red Hat Enterprise Linux 10
CVSS
HIGH 8.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-26
Original CVE updated
2026-05-26
Advisory published
2026-05-26
Advisory updated
2026-05-26

Who should care

System administrators operating Samba print servers, security teams managing Linux/Unix infrastructure, organizations with legacy print services exposed to network clients, and compliance officers tracking command injection vulnerabilities in open-source network services.

Technical summary

The vulnerability stems from improper neutralization of special elements used in OS commands (CWE-78). Samba's printing subsystem uses the `%J` substitution character to pass job description strings to external print commands. When a client submits a print job, the description field is inserted directly into the command string without escaping shell metacharacters such as backticks, dollar signs, semicolons, or pipe characters. This allows attackers to inject arbitrary shell commands that execute with the privileges of the Samba server process. The attack requires network access to the Samba service and valid credentials for print job submission (low privileges), with high attack complexity due to required configuration interaction. Successful exploitation yields high impact across confidentiality, integrity, and availability with scope change potential.

Defensive priority

HIGH

Recommended defensive actions

  • Audit Samba configurations for 'print command' settings and verify proper input sanitization is applied
  • Apply security updates from Samba project or distribution vendor when available
  • Restrict print service access to authorized hosts via firewall rules
  • Monitor print job submissions for anomalous shell metacharacters in job description fields
  • Review system logs for unexpected command execution originating from smbd processes
  • Consider disabling print services if not required in production environments

Evidence notes

Vulnerability description sourced from official CVE record and NVD entry. Vendor attribution to Samba derived from source references to Samba Bugzilla 16033 and Red Hat security advisory. CVSS vector and CWE classification confirmed via NVD source data. Timeline dates strictly reflect CVE published and modified timestamps as supplied.

Official resources

2026-05-26T15:16:40.937Z