{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/samba/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.5,"id":"CVE-2026-4480"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Samba"],"_cs_severities":["high"],"_cs_tags":["cve-2026-4480","rce","samba","command injection"],"_cs_type":"advisory","_cs_vendors":["Red Hat","Samba"],"content_html":"\u003cp\u003eCVE-2026-4480 is a critical vulnerability affecting the Samba printing subsystem. The flaw stems from the insecure handling of client-provided job descriptions. Specifically, Samba passes the client-controlled job description string to the command configured with the \u0026ldquo;print command\u0026rdquo; setting using the \u0026ldquo;%J\u0026rdquo; substitution character without properly escaping shell meta characters. An unauthenticated remote attacker can exploit this vulnerability by sending a malicious print job description containing unescaped shell characters, allowing for arbitrary command execution on the Samba server. This poses a significant risk to organizations relying on Samba for file and print services.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker sends a specially crafted print job to the Samba server.\u003c/li\u003e\n\u003cli\u003eThe print job description contains shell meta characters (e.g., \u003ccode\u003e;\u003c/code\u003e, \u003ccode\u003e|\u003c/code\u003e, \u003ccode\u003e\u0026amp;\u0026amp;\u003c/code\u003e) within the job name.\u003c/li\u003e\n\u003cli\u003eSamba receives the print job and extracts the malicious job description.\u003c/li\u003e\n\u003cli\u003eSamba substitutes the job description for the \u003ccode\u003e%J\u003c/code\u003e variable within the \u0026ldquo;print command\u0026rdquo; setting.\u003c/li\u003e\n\u003cli\u003eThe \u0026ldquo;print command\u0026rdquo; is executed by the Samba server, without proper sanitization or escaping of the shell meta characters.\u003c/li\u003e\n\u003cli\u003eThe injected shell commands in the job description are executed with the privileges of the Samba process.\u003c/li\u003e\n\u003cli\u003eThe attacker gains arbitrary code execution on the Samba server.\u003c/li\u003e\n\u003cli\u003eThe attacker can then perform post-exploitation activities such as lateral movement, data exfiltration, or system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-4480 allows a remote, unauthenticated attacker to execute arbitrary code with elevated privileges on the affected Samba server. This could lead to a full system compromise, data theft, or denial of service. Given the widespread use of Samba in enterprise environments for file and print sharing, this vulnerability poses a significant risk, potentially affecting thousands of organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eReview the \u0026ldquo;print command\u0026rdquo; setting in your Samba configuration (smb.conf) and ensure that no custom commands are used that could be vulnerable to command injection via the \u003ccode\u003e%J\u003c/code\u003e substitution character.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided below to your SIEM to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eApply available patches as provided by Red Hat and Samba to remediate CVE-2026-4480.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-26T15:20:57Z","date_published":"2026-05-26T15:20:57Z","id":"https://feed.craftedsignal.io/briefs/2026-05-samba-rce/","summary":"CVE-2026-4480 allows a remote attacker to achieve remote code execution on a vulnerable Samba server by sending a specially crafted print job description containing unescaped shell metacharacters, which are then passed to the configured 'print command'.","title":"Samba Print Spooler Remote Code Execution via CVE-2026-4480","url":"https://feed.craftedsignal.io/briefs/2026-05-samba-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Samba","version":"https://jsonfeed.org/version/1.1"}