Samba - Security Announcement Archive

CVE-2026-2340.html:

===========================================================
== Subject:     WORM vfs module does not block overwrites
==
== CVE ID#:     CVE-2026-2340
==
== Versions:    All versions since 4.20 (but see below)
==
== Summary:     The WORM (Write-Once, Read Many) vfs module
==              is supposed to lock write access to shared
==              files, so they cannot be altered after initial
==              writes. It was allowing files to be overwritten
==              by renaming a newly created file over a protected
==              file.
===========================================================

===========
Description
===========

The vfs_worm module is intended to make files immutable over SMB a
short time after they are created. The time window in which they are
writable is configurable, defaulting to one hour.

The hook that handles renames was checking that the file being renamed
was still mutable, but it was not checking whether the destination
filename already belonged to another worm-protected file. This meant
that any file could be changed by an attacker with write access, by
writing to a temporary file and renaming over the target.

It is important to note that the vfs_worm module only adds additional
protections. Neither the underlying file system access controls, nor
any other Samba modules are bypassed.

The vfs_worm module was added in 4.2 (2015), but was found to be
insufficient (see https://bugzilla.samba.org/show_bug.cgi?id=10430).
It was largely repaired for Samba 4.20, but this bug remained.

==================
Patch Availability
==================

Patches addressing this issue have been posted to:

    https://www.samba.org/samba/security/

Additionally, Samba 4.22.10, 4.23.8 and 4.24.3 have been issued
as security releases to correct the defect.  Samba administrators are
advised to upgrade to these releases or apply the patch as soon
as possible.

====================
CVSSv3.1 calculation
====================

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N  6.5

==========
Workaround
==========

Setting read-only permissions on existing files on the underlying
file system will prevent modifications.

Setting 'worm:grace_period' in smb.conf to zero or less will eliminate
the window in which the rename can happen, but this will cause
problems for common work flows that assume a file can be created and
written to in multiple steps.

Not using the module is not a workaround, because this bug confers no
access not ordinarily available.

=======
Credits
=======

Originally reported by Pavel Kohout of Aisle Research.

Patch provided by Pavel Kohout.

Tests and this advisory written by Douglas Bagnall of Catalyst IT
and the Samba team.

==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================