{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/reparse-point/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.1,"id":"CVE-2026-1933"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Samba"],"_cs_severities":["medium"],"_cs_tags":["cve","cve-2026-1933","samba","reparse point","privilege escalation","smb"],"_cs_type":"advisory","_cs_vendors":["Red Hat","Samba"],"content_html":"\u003cp\u003eCVE-2026-1933 identifies a flaw in Samba\u0026rsquo;s handling of NTFS-style reparse points. Specifically, on Samba shares configured with \u003ccode\u003eread only = yes\u003c/code\u003e, a missing SMB-layer access check allows authenticated users who possess underlying filesystem write permissions to manipulate reparse point metadata. This vulnerability enables such users to create or delete reparse points, even on exports that are intended to be read-only. The vulnerability was published on 2026-05-27 and affects Samba implementations utilizing NTFS-style reparse points. This can lead to unauthorized modification of file behavior visible over SMB, including the conversion of files into symbolic links or other reparse point types, potentially disrupting file access and integrity.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to a Samba share configured with \u003ccode\u003eread only = yes\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAttacker identifies a file or directory suitable for reparse point manipulation.\u003c/li\u003e\n\u003cli\u003eAttacker uses SMB protocols to send a request to create a new NTFS-style reparse point or modify an existing one.\u003c/li\u003e\n\u003cli\u003eSamba server receives the SMB request and processes it.\u003c/li\u003e\n\u003cli\u003eDue to missing SMB-layer access checks, the request bypasses the read-only restriction if the user has underlying filesystem write permissions.\u003c/li\u003e\n\u003cli\u003eSamba modifies the reparse point metadata on the underlying filesystem.\u003c/li\u003e\n\u003cli\u003eThe target file or directory\u0026rsquo;s behavior is altered, potentially becoming a symbolic link or another reparse point type.\u003c/li\u003e\n\u003cli\u003eSubsequent SMB clients accessing the modified file or directory now encounter the altered behavior dictated by the reparse point, potentially leading to unauthorized access or denial-of-service conditions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-1933 allows an authenticated attacker to modify the behavior of files and directories within a Samba share, even if the share is configured as read-only. This can lead to data corruption, unauthorized access, or denial-of-service. While the specific number of affected installations is unknown, any organization using Samba with read-only shares and NTFS-style reparse points may be vulnerable. The impact can range from minor inconvenience to significant disruption of file services, depending on the types of files and directories affected.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the appropriate patches or updates provided by Samba to address CVE-2026-1933 as soon as they are available.\u003c/li\u003e\n\u003cli\u003eReview Samba share configurations to ensure that users with write access to the underlying filesystem are appropriately restricted at the SMB layer.\u003c/li\u003e\n\u003cli\u003eMonitor Samba logs for suspicious activity related to reparse point creation or modification.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Samba Reparse Point Manipulation on Read-Only Shares\u003c/code\u003e to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eImplement file integrity monitoring on critical Samba shares to detect unauthorized changes to file metadata.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-27T14:19:21Z","date_published":"2026-05-27T14:19:21Z","id":"https://feed.craftedsignal.io/briefs/2026-05-samba-ntfs-reparse-point-flaw/","summary":"CVE-2026-1933 describes a vulnerability in Samba's handling of NTFS-style reparse points on read-only shares, allowing authenticated users with filesystem write permissions to modify reparse point metadata and potentially alter SMB-visible file behavior.","title":"Samba NTFS Reparse Point Vulnerability (CVE-2026-1933)","url":"https://feed.craftedsignal.io/briefs/2026-05-samba-ntfs-reparse-point-flaw/"}],"language":"en","title":"CraftedSignal Threat Feed — Reparse Point","version":"https://jsonfeed.org/version/1.1"}