A flaw was found in Samba’s WINS server component when running as an Active Directory Domain Controller. The WINS protocol handlers for certain request types did not properly validate incoming packets, allowing an unauthenticated remote attacker to trigger a NULL pointer dereference and crash the WINS service using specially crafted UDP packets.

The version of samba installed on the remote host is prior to 4.22.10. It is, therefore, affected by multiple vulnerabilities as referenced in the SSA:2026-158-01 advisory.

    New samba packages are available for Slackware 15.0 to fix security issues.

Tenable has extracted the preceding description block directly from the samba security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote openSUSE 16 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2026:20905-1 advisory.

    This update for samba fixes the following issues

    Security issues:

    - CVE-2026-1933: Missing access check on reparse point operations (bsc#1261188).
    - CVE-2026-2340: vfs_worm does not block directory modification (bsc#1261158).
    - CVE-2026-3012: group policy certificate enrollment uses http: // without validation (bsc#1261159).
    - CVE-2026-3238: unauthenticated udp packet crashes AD DC nbt server (bsc#1261160).
    - CVE-2026-4408: Remote Code Execution in SAMR (bsc#1261163).
    - CVE-2026-4480: Unauthenticated Remote Code Execution (bsc#1261161).

    Changes for samba:

    - network:samba:STABLE/samba: use-kerberos=desired broken / Dolphin requires login for Samba shares     (bsc#1255755).
    - Samba service start times out (SElinux relabel takes too long) (bsc#1259050).
    - samba-ad-dc-libs packages is missing a DLZ plugin for bind 9.20 (bsc#1249058).
    - VFS_Snapper does not show previous file versions in subdirectories. (bsc#1259667).
    - Updated to 4.22.9

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 43 host has packages installed that are affected by multiple vulnerabilities as referenced in the FEDORA-2026-fc81581a79 advisory.

    Update to Samba 4.23.8 - Security fix for CVE-2026-4480, CVE-2026-2340, CVE-2026-3012, CVE-2026-1933,     CVE-2026-4408, and CVE-2026-3238

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / SLES_SAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:2108-1 advisory.

    This update for samba fixes the following issues

    - CVE-2026-2340: vfs_worm does not block directory modification (bsc#1261158).
    - CVE-2026-3238: unauthenticated udp packet crashes AD DC nbt server (bsc#1261160).
    - CVE-2026-4408: Remote Code Execution in SAMR (bsc#1261163).
    - CVE-2026-4480: Unauthenticated Remote Code Execution (bsc#1261161).

    Non security issues:

    - Fix pthreadpool_tevent race conditions accessing both      pthreadpool_tevent.jobs list and pthreadpool_tevent.glue_list      (bsc#1252963)

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 44 host has packages installed that are affected by multiple vulnerabilities as referenced in the FEDORA-2026-7567819345 advisory.

    Update to Samba 4.24.3 - Security fix for CVE-2026-4480, CVE-2026-2340, CVE-2026-3012, CVE-2026-1933,     CVE-2026-4408, and CVE-2026-3238

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 45 host has packages installed that are affected by multiple vulnerabilities as referenced in the FEDORA-2026-9b08621bdc advisory.

    Update to Samba 4.24.3 - Security fix for CVE-2026-4480, CVE-2026-2340, CVE-2026-3012, CVE-2026-1933,     CVE-2026-4408, and CVE-2026-3238


Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:2073-1 advisory.

    This update for samba fixes the following issues

    - CVE-2026-2340: vfs_worm does not block directory modification (bsc#1261158).
    - CVE-2026-3238: unauthenticated udp packet crashes AD DC nbt server (bsc#1261160).
    - CVE-2026-4408: Remote Code Execution in SAMR (bsc#1261163).
    - CVE-2026-4480: Unauthenticated Remote Code Execution (bsc#1261161).

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:2076-1 advisory.

    This update for samba fixes the following issues

    Security issues:

    - CVE-2026-1933: Missing access check on reparse point operations (bsc#1261188).
    - CVE-2026-2340: vfs_worm does not block directory modification (bsc#1261158).
    - CVE-2026-3012: group policy certificate enrollment uses http: // without validation (bsc#1261159).
    - CVE-2026-3238: unauthenticated udp packet crashes AD DC nbt server (bsc#1261160).
    - CVE-2026-4408: Remote Code Execution in SAMR (bsc#1261163).
    - CVE-2026-4480: Unauthenticated Remote Code Execution (bsc#1261161).

    Non security issue:

    - network:samba:STABLE/samba: 'use-kerberos=desired' broken / Dolphin requires login for Samba shares     (bsc#1255755).
    - Generated dynamic profile based on path to special 'printers' share. (bsc#1259441).
    - Fix regression 'use-kerberos=desired' broken doesn't even try to authenticate with kerberos and instead     fallsback     to NTLM (bsc#1255755).
    - Fix memory leak using cups parsed options and filename allocated when processing end of printing job     (bsc#1257200).
    - Fix manpage for 'net offlinejoin requestodj'.
    - Fix 'ctdbd socket' documentation in manpage for smb.conf
    - Fix rpc workers with long living clients from growing server      memory keytab and increasing memory used by workers (bsc#1257200).

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:2074-1 advisory.

    This update for samba fixes the following issues

    - CVE-2026-2340: vfs_worm does not block directory modification (bsc#1261158).
    - CVE-2026-3012: group policy certificate enrollment uses http: // without validation (bsc#1261159).
    - CVE-2026-3238: unauthenticated udp packet crashes AD DC nbt server (bsc#1261160).
    - CVE-2026-4408: Remote Code Execution in SAMR (bsc#1261163).
    - CVE-2026-4480: Unauthenticated Remote Code Execution (bsc#1261161).

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / SLES_SAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:2072-1 advisory.

    This update for samba fixes the following issues

    - CVE-2026-2340: vfs_worm does not block directory modification (bsc#1261158).
    - CVE-2026-3012: group policy certificate enrollment uses http: // without validation (bsc#1261159).
    - CVE-2026-3238: unauthenticated udp packet crashes AD DC nbt server (bsc#1261160).
    - CVE-2026-4408: Remote Code Execution in SAMR (bsc#1261163).
    - CVE-2026-4480: Unauthenticated Remote Code Execution (bsc#1261161).

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Ubuntu 22.04 LTS / 24.04 LTS / 25.10 / 26.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-8306-1 advisory.

    Asim Viladi Oglu Manizada discovered that Samba incorrectly handled access checks on reparse point     operations. An attacker could possibly use this issue to modify reparse point extended attributes on files     that should have been read-only. This issue only affected Ubuntu 25.10 and Ubuntu 26.04 LTS.
    (CVE-2026-1933)

    Pavel Kohout discovered that Samba's vfs_worm module did not properly block file overwrites. An attacker     could possibly use this issue to overwrite files that should have remained immutable. (CVE-2026-2340)

    Arad Inbar, Nir Somech, and Ben Grinberg discovered that Samba incorrectly handled certificate auto-     enrolment group policies over HTTP without verification. A machine-in-the-middle attacker could possibly     use this issue to install a malicious CA certificate. This issue only affected Ubuntu 24.04 LTS, Ubuntu     25.10, and Ubuntu 26.04 LTS. (CVE-2026-3012)

    Arad Inbar, Erez Cohen, Nir Somech, and Ben Grinberg discovered that Samba's Active Directory Domain     Controller WINS server could be made to crash under certain circumstances. A remote attacker could     possibly use this issue to cause a denial of service. (CVE-2026-3238)

    Ron Ben Yizhak discovered that Samba's DCE/RPC SAMR server incorrectly handled a non-default password     check script configuration. A remote attacker could possibly use this issue to execute arbitrary code.
    (CVE-2026-4408)

    Ron Ben Yizhak discovered that Samba's printing subsystem incorrectly handled a non-default print command     configuration. A remote attacker could possibly use this issue to execute arbitrary code. (CVE-2026-4480)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 12 / 13 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-6297 advisory.

    - -------------------------------------------------------------------------     Debian Security Advisory DSA-6297-1                   security@debian.org     https://www.debian.org/security/                     Salvatore Bonaccorso     May 26, 2026                          https://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package        : samba     CVE ID         : CVE-2026-1933 CVE-2026-2340 CVE-2026-3012 CVE-2026-3238                      CVE-2026-4408 CVE-2026-4480

    Several vulnerabilities have been discovered in Samba, a SMB/CIFS file,     print, and login server for Unix, which might result in bypass of access     checks, overwrite of files in unintended situations using the WORM vfs     module, installing CA certificates over http without verification when     auto-enrollment GPO is enabled, denial of service or remote code     execution.

    For the oldstable distribution (bookworm), these problems have been     fixed in version 2:4.17.12+dfsg-0+deb12u4.

    For the stable distribution (trixie), these problems have been fixed in     version 2:4.22.8+dfsg-0+deb13u2.

    We recommend that you upgrade your samba packages.

    For the detailed security status of samba please refer to its security     tracker page at:
    https://security-tracker.debian.org/tracker/samba

    Further information about Debian Security Advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://www.debian.org/security/

    Mailing list: debian-security-announce@lists.debian.org

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - A flaw was found in Samba's WINS server component when running as an Active Directory Domain Controller.
    The WINS protocol handlers for certain request types did not properly validate incoming packets, allowing     an unauthenticated remote attacker to trigger a NULL pointer dereference and crash the WINS service using     specially crafted UDP packets. (CVE-2026-3238)

Note that Nessus relies on the presence of the package as reported by the vendor.

ID	Name	Product	Family	Severity
320478	Slackware Linux 15.0 samba Multiple Vulnerabilities (SSA:2026-158-01)	Nessus	Slackware Local Security Checks	critical
320420	openSUSE 16 Security Update : samba (openSUSE-SU-2026:20905-1)	Nessus	SuSE Local Security Checks	critical
318763	Fedora 43 : freeipa / samba (2026-fc81581a79)	Nessus	Fedora Local Security Checks	critical
318208	SUSE SLES15 Security Update : samba (SUSE-SU-2026:2108-1)	Nessus	SuSE Local Security Checks	critical
318168	Fedora 44 : freeipa / samba (2026-7567819345)	Nessus	Fedora Local Security Checks	critical
317804	Fedora 45 : freeipa / samba (2026-9b08621bdc)	Nessus	Fedora Local Security Checks	critical
317802	SUSE SLES12 Security Update : samba (SUSE-SU-2026:2073-1)	Nessus	SuSE Local Security Checks	critical
317755	SUSE SLED15 / SLES15 Security Update : samba (SUSE-SU-2026:2076-1)	Nessus	SuSE Local Security Checks	critical
317754	SUSE SLES15 / openSUSE 15 Security Update : samba (SUSE-SU-2026:2074-1)	Nessus	SuSE Local Security Checks	critical
317654	SUSE SLES15 Security Update : samba (SUSE-SU-2026:2072-1)	Nessus	SuSE Local Security Checks	critical
317099	Ubuntu 22.04 LTS / 24.04 LTS / 25.10 / 26.04 LTS : Samba vulnerabilities (USN-8306-1)	Nessus	Ubuntu Local Security Checks	critical
316800	Debian dsa-6297 : ctdb - security update	Nessus	Debian Local Security Checks	critical
316784	Linux Distros Unpatched Vulnerability : CVE-2026-3238	Nessus	Misc.	high

Detections

Analytics

CVE-2026-3238

high

Tenable Plugins

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

high