Samba 4.23.8 Security Release (CVE-2026-1933, -2340, -3012, -3238, -4408, -4480)
Document Version: 1.0 Severity: Varies by CVE (see below), Medium (TrueNAS Impact)
This Samba security release addresses six vulnerabilities ranging from access control bypass to unauthenticated remote code execution. Of the six, two affect TrueNAS CE/Enterprise deployments: CVE-2026-1933 (missing access checks on reparse point operations on read-only shares) and CVE-2026-2340 (WORM vfs module bypass via rename). The remaining four do not apply to TrueNAS due to features and roles that TrueNAS does not support or enable by default. Neither applicable CVE enables remote code execution or privilege escalation.
TrueNAS Impact: MEDIUM — Two CVEs affect TrueNAS deployments; both are limited to authenticated share access and specific configurations, with no path to code execution or privilege escalation.
- Component: Samba VFS layer — reparse point xattr handling
- Attack Vector: Network — authenticated SMB client
- Prerequisites: Share configured with
read only = yes; attacker has an R/O file handle and filesystem-level write access to the target file - Affected Versions: Samba prior to this security release
On a share marked read only = yes, users can set or delete reparse point xattrs on files for which they hold filesystem write permissions, even when accessing via a read-only file handle. The share-level read only enforcement is not applied to reparse point xattr operations, allowing the share restriction to be bypassed for this specific metadata class.
- Component: Samba
vfs_wormmodule - Attack Vector: Network — authenticated SMB client with share write access
- Prerequisites: Share configured with the WORM (
vfs objects = worm) module; attacker has write access to the share - Affected Versions: Samba prior to this security release
The WORM (Write-Once, Read Many) vfs module is intended to prevent modification of files after initial write. The module failed to account for the rename code path: an attacker can create a new file, write arbitrary content to it, then rename it over an existing WORM-protected file. The rename operation bypasses the WORM write protection, overwriting the protected file’s content.
The following four CVEs are included in this Samba security release but do not affect TrueNAS CE/Enterprise:
| CVE | Description | Reason Not Applicable |
|---|---|---|
| CVE-2026-3012 | Auto-enrollment GPO installing CA certificate over HTTP without verification | TrueNAS does not operate as a domain member using GPO-based certificate auto-enrollment |
| CVE-2026-3238 | DoS against AD DC WINS server via unauthenticated UDP packet | TrueNAS does not run as an Active Directory Domain Controller |
| CVE-2026-4408 | Unauthenticated RCE in DCE/RPC SAMR server via check password script using %u |
TrueNAS does not configure check password script in its Samba deployment |
| CVE-2026-4480 | Unauthenticated RCE in printing subsystem via print command using %J |
TrueNAS does not enable the Samba print server subsystem |
All currently supported TrueNAS CE/Enterprise releases shipping the unpatched Samba version are affected by CVE-2026-1933 and CVE-2026-2340:
- 24.04.x series
- 24.10.x series
- 25.04.x series
- 25.10.x series (fixed in 25.10.4)
- Read-only shares in use: TrueNAS supports and commonly deploys SMB shares with
read only = yes. Any such share is within scope. - Reparse point xattr operations available: TrueNAS SMB shares support Windows reparse point semantics via the VFS layer.
- Dual-access requirement: Exploitation requires an authenticated SMB user who also holds filesystem-level write access to the target file. A user with only share-level read access cannot exploit this.
Impact is limited to reparse point xattr manipulation. An attacker cannot use this to read or write file data, escalate privileges, or access files outside their filesystem permissions.
- WORM vfs module available: The
vfs_wormmodule is available in TrueNAS’s Samba build. - Non-default configuration: The WORM module is not enabled on shares by default. Only deployments that have explicitly configured
vfs objects = wormon one or more shares are affected. - Write access sufficient: Any authenticated user with share write access can perform the rename operation.
Impact is limited to WORM protection bypass. An attacker can overwrite WORM-protected files, compromising data immutability guarantees. No code execution or privilege escalation is possible via this primitive.
No architectural defense prevents these vulnerabilities. Both require the upstream Samba fix. CVE-2026-2340 can be mitigated at the configuration level by disabling write access to affected shares pending a patched Samba release (see Mitigations).
Testing performed:
- No internal exploit testing has been completed as of this document’s date. The attack surface analysis is based on TrueNAS Samba configuration review and upstream vulnerability descriptions. Testing is in progress.
| CVE | Industry Severity | Basis |
|---|---|---|
| CVE-2026-1933 | Medium | Authenticated, requires specific share config and dual filesystem access |
| CVE-2026-2340 | Medium | Authenticated, requires WORM configuration; data integrity impact only |
| CVE-2026-3012 | Medium | Domain member only; MitM during certificate bootstrap |
| CVE-2026-3238 | High | Unauthenticated remote DoS against AD DC |
| CVE-2026-4408 | Critical | Unauthenticated RCE; requires check password script with %u |
| CVE-2026-4480 | Critical | Unauthenticated RCE; requires print server with print command using %J |
The two CVEs applicable to TrueNAS are both authenticated attacks limited to specific configurations and metadata or data integrity impact. Neither enables remote code execution, unauthenticated access, or privilege escalation. CVE-2026-1933 affects any deployment with read-only SMB shares and users who hold filesystem write access to files on those shares. CVE-2026-2340 affects only deployments that have explicitly configured the WORM vfs module.
The two Critical-severity CVEs (CVE-2026-4408 and CVE-2026-4480) do not affect TrueNAS and do not contribute to the TrueNAS risk rating.
The patched Samba version will be included in TrueNAS 25.10.4. Customers should upgrade to 25.10.4 or later when available.
CVE-2026-1933 — Interim mitigation:
No low-impact mitigation is available. The vulnerability requires both share read-only configuration and filesystem write access by the attacker. Review whether users who have filesystem write access to files on read-only shares represent a plausible attack scenario in your deployment. If so, consider temporarily removing read only = yes from affected shares and enforcing access control at the filesystem level until a patched release is available — however, this changes share behavior and should be evaluated carefully.
CVE-2026-2340 — Interim mitigation:
For deployments using the WORM vfs module, remove write access from authenticated users on WORM-protected shares until a patched Samba release is installed. WORM protection cannot be considered reliable against authenticated users with share write access on unpatched systems.
Deployments not using the WORM vfs module are not exposed to CVE-2026-2340 and require no action for that CVE. Deployments without read-only SMB shares, or where filesystem-level write access is not granted to users accessing read-only shares, are not exposed to CVE-2026-1933 in practice.
- CVE-2026-1933: https://www.samba.org/samba/security/CVE-2026-1933.html
- CVE-2026-2340: https://www.samba.org/samba/security/CVE-2026-2340.html
- CVE-2026-3012: https://www.samba.org/samba/security/CVE-2026-3012.html
- CVE-2026-3238: https://www.samba.org/samba/security/CVE-2026-3238.html
- CVE-2026-4408: https://www.samba.org/samba/security/CVE-2026-4408.html
- CVE-2026-4480: https://www.samba.org/samba/security/CVE-2026-4480.html
- TrueNAS Security: https://security.truenas.com
Of the six CVEs in this Samba security release, two affect TrueNAS CE/Enterprise: CVE-2026-1933 and CVE-2026-2340. Both are authenticated attacks with no path to code execution or privilege escalation, and CVE-2026-2340 requires non-default WORM configuration. The four remaining CVEs — including the two rated Critical — do not apply to TrueNAS due to features and roles TrueNAS does not support. This document will be updated to reflect resolved status once TrueNAS 25.10.4 is released and verified.
This document will be updated as additional information becomes available or if circumstances change.