Samba - Security Announcement Archive

CVE-2026-3238.html:

===========================================================
== Subject:     Denial of service against AD DC WINS server
==
== CVE ID#:     CVE-2026-3238
==
== Versions:    All versions since 4.0
==
== Summary:     The WINS server component of the Active
==              Directory Domain controller code in Samba
==              is vulnerable to a NULL pointer dereference
==              and crash caused by a unauthenticated UDP
==              packet.
===========================================================

===========
Description
===========

The Windows Internet Naming Service [1] is an unauthenticated service
for registering and looking up names in a NetBIOS network running on
TCP and UDP [2].

The protocol handlers for the RELEASE and MULTI_HOME_REG packets in
the WINS server running when Samba is configured as an Active
Directory Domain Controller do not properly validate the requests. An
attacker can make the WINS server dereference a NULL pointer, leading
to at least a crash. This service will be restarted at increasing
intervals. The simplicity of the attack makes it trivial to make the
WINS server in Samba completely unavailable.

One mitigating factor is that the WINS server must be explicitly
activated with the "wins support = yes" setting in the [global]
section of the smb.conf file.

[1]: https://en.wikipedia.org/wiki/Windows_Internet_Name_Service
[2]: https://datatracker.ietf.org/doc/html/rfc1002 section 5.1.4

==================
Patch Availability
==================

Patches addressing this issue have been posted to:

    https://www.samba.org/samba/security/

Additionally, Samba 4.22.10, 4.23.8 and 4.24.3 have been issued
as security releases to correct the defect.  Samba administrators are
advised to upgrade to these releases or apply the patch as soon
as possible.

====================
CVSSv3.1 calculation
====================

CVSS 3.1: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 7.5

==========
Workaround
==========

Affected sites that do not strictly depend on Samba running a WINS
server should remove the explicit "wins support = yes" from their
Samba configuration.

=======
Credits
=======

Discovered and originally reported by

- Arad Inbar, DREAM Security Research Team
- Erez Cohen, DREAM Security Research Team
- Nir Somech, DREAM Security Research Team
- Ben Grinberg, DREAM Security Research Team

==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================