CVE-2026-4408

Critical · CVSS 9.0

Samba — OS Command Injection via unsanitized shell meta-character substitution (CWE-78) leading to Remote Code Execution

CVSS: 9.0; nvd
EPSS: —
KEV: No
Class: kernel local; CWE-78

Description

A flaw was found in Samba. A remote attacker can exploit a misconfiguration in Samba file servers and classic domain controllers that use the "check password script" feature. If this script is configured with the %u substitution character, the client-controlled username is passed without proper escaping of shell meta-characters. This vulnerability allows an attacker to achieve remote command execution on the affected system. This issue primarily affects non-standard configurations where the "check password script" is used with %u and the samba-dcerpcd service is started as a system service.

Search profile — drives PoC discovery

Symbols check password script%usamba-dcerpcdsmb.confpassdbpam_check_password_scriptusername substitutionshell meta-characters

Keywords CVE-2026-4408Samba check password script RCESamba %u shell injectionsamba-dcerpcd exploitSamba command injection usernameSamba classic domain controller RCESamba shell meta-character escape bypassSamba check password script PoC

Versions: Samba versions affected per RHSA-2026:22644, RHSA-2026:22963, RHSA-2026:25049, RHSA-2026:25979

References

Status: enriched · ingested 2026-06-16T00:00:58.000Z · profiled 2026-06-16T18:20:23.035Z