CVE-2021-44142

HIGH EXPLOITED LAB

Samba < 4.13.17 - Out-of-bounds Read and Write via Extended File Attributes

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2021-44142 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 5 public exploits from researchers including horizon3ai, Nxvh1337, WinDyAlphA.

AI-analyzed exploit summary This repository contains a Python-based proof-of-concept exploit for CVE-2021-44142, a heap out-of-bounds read/write vulnerability in Samba's vfs_fruit module. The exploit demonstrates vulnerability by dumping heap memory contents (cookie and pointer) via a crafted AppleDouble structure, leveraging a single SMB connection to bypass process isolation.

Description

The Samba vfs_fruit module uses extended file attributes (EA, xattr) to provide "...enhanced compatibility with Apple SMB clients and interoperability with a Netatalk 3 AFP fileserver." Samba versions prior to 4.13.17, 4.14.12 and 4.15.5 with vfs_fruit configured allow out-of-bounds heap read and write via specially crafted extended file attributes. A remote attacker with write access to extended file attributes can execute arbitrary code with the privileges of smbd, typically root.

Exploits (5)

nomisec WORKING POC 10 stars
by horizon3ai · infoleak
https://github.com/horizon3ai/CVE-2021-44142

This repository contains a Python-based proof-of-concept exploit for CVE-2021-44142, a heap out-of-bounds read/write vulnerability in Samba's vfs_fruit module. The exploit demonstrates vulnerability by dumping heap memory contents (cookie and pointer) via a crafted AppleDouble structure, leveraging a single SMB connection to bypass process isolation.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Samba (vfs_fruit module)
Auth required
Prerequisites: Network access to vulnerable Samba server · Valid SMB credentials · vfs_fruit module enabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 3 stars
by Nxvh1337 · poc
https://github.com/Nxvh1337/CVE-2021-44142-vulnerable-lab

This repository provides a Dockerized vulnerable environment for CVE-2021-44142, a Samba vfs_fruit module vulnerability. It includes a patched version of Samba 4.13.13 with intentional memory corruption to simulate the exploit scenario.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Samba v4.13.13 with vfs_fruit module
Auth required
Prerequisites: Docker environment · Samba configuration with vfs_fruit enabled
devstral-2 · analyzed Mar 07, 2026 Full analysis →
nomisec WORKING POC 3 stars
by WinDyAlphA · poc
https://github.com/WinDyAlphA/CVE-2021-44142-vulnerable-lab

This repository provides a vulnerable lab environment for CVE-2021-44142, a Samba vulnerability. It includes a script to set up a Samba share with specific configurations to replicate the vulnerable state.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Samba (version not specified)
No auth needed
Prerequisites: Docker or similar environment to run the lab · Samba installed and configured
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec STUB 1 stars
by gudyrmik · poc
https://github.com/gudyrmik/CVE-2021-44142

The repository contains only a README and a Docker cleanup script, with no actual exploit code or technical details for CVE-2021-44142. It appears to be a placeholder or incomplete PoC.

Classification
Stub 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: unknown
No auth needed
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by hrsman · remote
https://github.com/hrsman/Samba-CVE-2021-44142

This repository contains a functional PoC for CVE-2021-44142, a heap out-of-bounds read/write vulnerability in Samba's vfs_fruit module. The tool checks for vulnerability by dumping heap metadata and includes custom SMB protocol extensions to mimic OSX connections.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Samba with vfs_fruit module (versions affected by CVE-2021-44142)
Auth required
Prerequisites: Network access to vulnerable Samba server · Valid SMB credentials · vfs_fruit module enabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6

Scores

CVSS v3 8.8
EPSS 0.7404
EPSS Percentile 99.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Lab Environment

COMMUNITY
Community Lab
+2 more repos

Details

VulnCheck KEV 2024-07-25
CWE
CWE-125 CWE-787
Status published
Products (40)
canonical/ubuntu_linux 14.04
canonical/ubuntu_linux 16.04
canonical/ubuntu_linux 18.04
canonical/ubuntu_linux 20.04
canonical/ubuntu_linux 21.10
debian/debian_linux 10.0
debian/debian_linux 11.0
fedoraproject/fedora 34
fedoraproject/fedora 35
redhat/codeready_linux_builder
... and 30 more
Published Feb 21, 2022
Tracked Since Feb 18, 2026