A critical vulnerability in the Samba printing subsystem, tracked as CVE-2026-4480, has been disclosed, allowing unauthenticated attackers to achieve remote code execution (RCE) on affected systems.
The flaw carries a maximum CVSS v3.1 score of 10.0, highlighting its severe impact and ease of exploitation.
Samba, widely used for file and print services across Linux and Unix environments, is vulnerable when configured with a “print command” that includes the %J substitution parameter.
This parameter passes a client-controlled print job description string directly into a shell command without properly escaping special characters, enabling attackers to inject malicious commands.
Samba Vulnerability
According to the advisory, the vulnerability arises because Samba does not sanitize shell meta characters embedded within the %J variable. An attacker can craft a malicious print job containing arbitrary shell instructions, which are then executed by the server.
Since many Samba deployments allow guest users to submit print jobs by default, exploitation does not require authentication, significantly increasing the attack surface.
However, not all configurations are affected. Systems using “printing = cups” or “printing = iprint” are not vulnerable. Additionally, servers that do not include the %J substitution in their print command configuration remain safe.
Security researchers from SafeBreach, ZeroPath, and Securin Labs independently reported the issue. The Samba Team has acknowledged the flaw and released patches to address it. Fixed versions include Samba 4.22.10, 4.23.8, and 4.24.3.
Administrators are strongly advised to upgrade immediately or apply the official patches available on the Samba security page.
As a temporary mitigation, administrators can reduce risk by enclosing the %J parameter in single quotes (‘%J’), which limits but does not eliminate the potential for command injection.
Removing the %J parameter entirely from the smb.conf “print command” configuration is the most effective workaround if patching is not immediately possible.
The vulnerability has significant implications for enterprise environments, especially those that rely on legacy Samba configurations or expose print services.
Attackers exploiting this flaw could gain full control of affected systems, leading to data breaches, lateral movement, or ransomware deployment.
Organizations are urged to audit their Samba configurations, restrict guest access where possible, and monitor for unusual print job activity as potential indicators of compromise.
Given the simplicity of exploitation and critical severity, CVE-2026-4480 should be treated as a top-priority patching requirement.
This incident underscores the ongoing risks associated with command injection vulnerabilities in legacy service configurations. It highlights the importance of secure input handling in network-exposed services.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
