Skip to content
Threat Feed
high advisory

Samba Print Spooler Remote Code Execution via CVE-2026-4480

CVE-2026-4480 allows a remote attacker to achieve remote code execution on a vulnerable Samba server by sending a specially crafted print job description containing unescaped shell metacharacters, which are then passed to the configured 'print command'.

CVE-2026-4480 is a critical vulnerability affecting the Samba printing subsystem. The flaw stems from the insecure handling of client-provided job descriptions. Specifically, Samba passes the client-controlled job description string to the command configured with the “print command” setting using the “%J” substitution character without properly escaping shell meta characters. An unauthenticated remote attacker can exploit this vulnerability by sending a malicious print job description containing unescaped shell characters, allowing for arbitrary command execution on the Samba server. This poses a significant risk to organizations relying on Samba for file and print services.

Attack Chain

  1. The attacker sends a specially crafted print job to the Samba server.
  2. The print job description contains shell meta characters (e.g., ;, |, &&) within the job name.
  3. Samba receives the print job and extracts the malicious job description.
  4. Samba substitutes the job description for the %J variable within the “print command” setting.
  5. The “print command” is executed by the Samba server, without proper sanitization or escaping of the shell meta characters.
  6. The injected shell commands in the job description are executed with the privileges of the Samba process.
  7. The attacker gains arbitrary code execution on the Samba server.
  8. The attacker can then perform post-exploitation activities such as lateral movement, data exfiltration, or system compromise.

Impact

Successful exploitation of CVE-2026-4480 allows a remote, unauthenticated attacker to execute arbitrary code with elevated privileges on the affected Samba server. This could lead to a full system compromise, data theft, or denial of service. Given the widespread use of Samba in enterprise environments for file and print sharing, this vulnerability poses a significant risk, potentially affecting thousands of organizations.

Recommendation

  • Review the “print command” setting in your Samba configuration (smb.conf) and ensure that no custom commands are used that could be vulnerable to command injection via the %J substitution character.
  • Deploy the Sigma rules provided below to your SIEM to detect potential exploitation attempts.
  • Apply available patches as provided by Red Hat and Samba to remediate CVE-2026-4480.

Detection coverage 2

Detect CVE-2026-4480 Exploitation Attempt via Print Job Name

high

Detects CVE-2026-4480 exploitation — detects print job submissions containing shell metacharacters that could lead to command injection.

sigma tactics: command_and_control, execution techniques: T1059.002 sources: print, samba

Detect CVE-2026-4480 Exploitation via Suspicious Process Execution from Samba

medium

Detects CVE-2026-4480 exploitation — monitors for suspicious processes spawned by the Samba process after a print job submission.

sigma tactics: execution techniques: T1059.004 sources: process_creation, linux

Detection queries are available on the platform. Get full rules →