CVE-2026-4480

CRITICAL

Samba: samba: remote code execution in printing subsystem via unescaped job description

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 5 public exploits for CVE-2026-4480. PoCs published by CarlosEduardoPM, 0xBlackash, robinxiang.

AI-analyzed exploit summary The repository contains a functional exploit for CVE-2026-4480, a command injection vulnerability in the Samba printing subsystem. The exploit leverages improper sanitization of the print job description to achieve remote code execution via the `%J` substitution parameter.

Description

A flaw was found in the Samba printing subsystem. Samba passes the client-controlled job description string to the command configured with the "print command" setting via the "%J" substitution character without escaping shell meta characters. A remote attacker could exploit this vulnerability by sending a specially crafted print job description that contains unescaped shell characters. This could lead to remote code execution on the affected system.

Exploits (5)

github WORKING POC 1 stars
by CarlosEduardoPM · pythonpoc
https://github.com/CarlosEduardoPM/CVE-2026-4480-POC

The repository contains a functional exploit for CVE-2026-4480, a command injection vulnerability in the Samba printing subsystem. The exploit leverages improper sanitization of the print job description to achieve remote code execution via the `%J` substitution parameter.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Samba (printing subsystem)
No auth needed
Prerequisites: Samba configured as a print server with `print command` using `%J` substitution · Network access to the Samba service
devstral-2 · analyzed Jun 09, 2026 Full analysis →
github WORKING POC
by CarlosEduardoPM · pythonpoc
https://github.com/CarlosEduardoPM/CVE-2026-4480

The repository contains a functional exploit for CVE-2026-4480, a command injection vulnerability in the Samba printing subsystem. The exploit leverages improper handling of the `%J` substitution parameter in print commands to achieve remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Samba (printing subsystem)
No auth needed
Prerequisites: Samba configured as a print server with `print command` using `%J` substitution · Network access to the Samba service
devstral-2 · analyzed Jun 08, 2026 Full analysis →
github WRITEUP
by 0xBlackash · poc
https://github.com/0xBlackash/CVE-2026-4480

This repository provides a detailed technical analysis of CVE-2026-4480, a critical command injection vulnerability in Samba's printing subsystem. It includes root cause analysis, affected versions, mitigation steps, and detection methods, but does not contain exploit code.

Classification
Writeup 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Theoretical
Target: Samba (versions before 4.22.10, 4.23.8, 4.24.3)
No auth needed
Prerequisites: Samba configured with a custom print command using %J parameter · Network access to the Samba server
devstral-2 · analyzed Jun 08, 2026 Full analysis →
github WORKING POC
by robinxiang · pythonpoc
https://github.com/robinxiang/CVE-2026-4480

This repository contains a functional exploit for CVE-2026-4480, targeting a Samba Print Command Injection vulnerability. The exploit leverages the spoolss RPC interface to inject commands via the printer job name, achieving remote code execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Samba (specific version not specified)
No auth needed
Prerequisites: Network access to the target Samba service · Anonymous authentication enabled
devstral-2 · analyzed Jun 07, 2026 Full analysis →
github WORKING POC
by TheCyberGeek · pythonpoc
https://github.com/TheCyberGeek/CVE-2026-4480-PoC

This repository contains a functional exploit for CVE-2026-4480, demonstrating unauthenticated remote command execution in Samba's print subsystem via shell injection through the `%J` macro in the print command. The exploit leverages Samba's Python bindings to submit a crafted print job that triggers command execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Samba (versions before 4.22.10, 4.23.8, 4.24.3)
No auth needed
Prerequisites: Samba Python bindings · Network access to SMB port (445/139) · Guest-accessible printer share with `%J` in print command
devstral-2 · analyzed Jun 05, 2026 Full analysis →

References (6)

Core 6
Core References
Vendor Advisory vendor-advisory x_refsource_redhat
RHSA-2026:22644
https://access.redhat.com/errata/RHSA-2026:22644
Vendor Advisory vendor-advisory x_refsource_redhat
RHSA-2026:22963
https://access.redhat.com/errata/RHSA-2026:22963
Vendor Advisory vendor-advisory x_refsource_redhat
RHSA-2026:25049
https://access.redhat.com/errata/RHSA-2026:25049
Vdb Entry, X_Refsource_Redhat vdb-entry x_refsource_redhat
https://access.redhat.com/security/cve/CVE-2026-4480
Issue Tracking, X_Refsource_Redhat issue-tracking x_refsource_redhat
RHBZ#2452232
https://bugzilla.redhat.com/show_bug.cgi?id=2452232

Scores

CVSS v3 9.0
EPSS 0.0036
EPSS Percentile 58.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-78
Status published
Products (15)
Red Hat/Red Hat Enterprise Linux 10
Red Hat/Red Hat Enterprise Linux 10 0:4.23.5-109.el10_2
Red Hat/Red Hat Enterprise Linux 6
Red Hat/Red Hat Enterprise Linux 7
Red Hat/Red Hat Enterprise Linux 8
Red Hat/Red Hat Enterprise Linux 8 0:4.19.4-16.el8_10
Red Hat/Red Hat Enterprise Linux 9
Red Hat/Red Hat Enterprise Linux 9 0:4.23.5-10.el9_8
Red Hat/Red Hat OpenShift Container Platform 4
redhat/enterprise_linux 7.0
... and 5 more
Published May 26, 2026
Tracked Since May 26, 2026