Samba - Security Announcement Archive

CVE-2026-4480.html:

===========================================================
== Subject:     Unauthenticated Remote Code Execution
==		in Samba printing subsystem
==
== CVE ID#:     CVE-2026-4480
==
== Versions:    All versions
==
== Summary:     Samba print servers with a "print command"
==		that has the %J substitution character
==		are vulnerable to a Remote Code Execution
===========================================================

===========
Description
===========

Samba passes the client-controlled job description string to the
command configured with the "print command" setting via the "%J"
substitution character without escaping shell meta characters. This
leads to a remote code execution vulnerability.

Print servers configured with "printing = cups" or "printing =
iprint", and print servers that do not have the %J substitution
character in the "print command" setting are not affected.

The problem is much less dangerous if %J has single quotes directly
around it, e.g. '%J', but it's still possible to inject
command line options.

By default, print servers allow guest users to print.

==================
Patch Availability
==================

Patches addressing this issue have been posted to:

    https://www.samba.org/samba/security/

Additionally, Samba 4.22.10, 4.23.8 and 4.24.3 have been issued
as security releases to correct the defect.  Samba administrators are
advised to upgrade to these releases or apply the patch as soon
as possible.

==================
CVSSv3 calculation
==================

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H 10.0

==========
Workaround
==========

Adding single quotes (directly!) around %J (=> '%J')
makes it much less likely an attacker can do something useful.
Note using double quotes may not be enough.

If unsure remove %J completely from the "print command" smb.conf
entry.

=======
Credits
=======

Originally reported by:
- Ron Ben Yizhak with SafeBreach
- John Walker with ZeroPath
- Arjun Basnet with Securin Labs

Patches provided by:
- Stefan Metzmacher of Sernet and the Samba team.
- Douglas Bagnall of Catalyst and the Samba team.

This advisory by Volker Lendecke and Stefan Metzmacher
of Sernet and the Samba team.

==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================