Samba - Security Announcement Archive

CVE-2026-1933.html:

===========================================================
== Subject:     Missing access checks on reparse point
==              operations
==
== CVE ID#:     2026-1933
==
== Versions:    All versions since Samba 4.21
==
== Summary:     On a share marked "read only = yes" and
==              on file handles opened R/O users can set
==              or delete the reparse point xattrs on files
==              that the user has write-access in the file
==              system for.
===========================================================

===========
Description
===========

Starting with Samba 4.21, users can create and delete NTFS-style
reparse points (https://en.wikipedia.org/wiki/NTFS_reparse_point) via
the SMB protocol. The Reparse Point Metadata is stored in an extended
attribute named "user.SmbReparse" together with the
FILE_ATTRIBUTE_REPARSE_POINT bit in the user.DosAttrib xattr.

Writing to these xattrs requires file-system level write
permissions.

File systems exported by Samba are marked "read only = yes" by
default, so even users who have write permissions on the exported
files should not be able modify them via SMB. For setting and deleting
the reparse point xattr, the required user-space access checks are
missing, so that users with file-system level write permissions are
able to modify the "user.SmbReparse" xattr even on exports marked as
read only.

The most prominent use of reparse points is the SMB representation of
symbolic links. This vulnerability means that users can turn existing
files where they have write permissions into symlinks as seen by
Windows and Linux clients even on exports marked as "read only = yes".

An attacker can also make an entire file system under the same
conditions unavailable to normal users by turning all existing files
into symlinks or other types of reparse points. This is not a
permanent condition, a server administrator can remove the
"user.SmbReparse" xattr and the FILE_ATTRIBUTE_REPARSE_POINT
"user.DosAttrib" bit.

==================
Patch Availability
==================

Patches addressing this issue have been posted to:

    https://www.samba.org/samba/security/

Additionally, Samba 4.22.10, 4.23.8 and 4.24.3 have been issued
as security releases to correct the defect.  Samba administrators are
advised to upgrade to these releases or apply the patch as soon
as possible.

==================
CVSSv3 calculation
==================

Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
Score: 7.1 (High)

==========
Workaround
==========

Ensure users who access a read only = yes share do not have filesystem-level
write permission to the exported files.

=======
Credits
=======

Originally reported by Asim Viladi Oglu Manizada.

Patches provided by Stefan Metzmacher of the Samba team.

==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================