CVE-2026-4480

⛔ critical

Summary

A flaw was found in the Samba printing subsystem. Samba passes the client-controlled job description string to the command configured with the "print command" setting via the "%J" substitution character without escaping shell meta characters. A remote attacker could exploit this vulnerability by sending a specially crafted print job description that contains unescaped shell characters. This could lead to remote code execution on the affected system.

CVSS Score

9.0

Critical

EPSS Score

12.8

Exploit Probability

Published Date

2026-05-26

First Seen: 2026-05-27

📊 Relative Risk Intelligence

This CVE is High Risk - more severe than 87.7% of all 329,456 vulnerabilities in our database.

#40,532

Top 25% most severe

Severity Percentile

🎯 CISA SSVC Assessment Updated: May 26, 2026

🔍 Exploitation Status

None

No known exploits

⚙️ Automatable

Requires human interaction

💥 Technical Impact

Total

Complete system compromise possible

🏆 Discovered By

Red Hat would like to thank Arjun Basnet (Securin Labs), John Walker (ZeroPath), and Ron Ben Yizhak (SafeBreach) for reporting this issue.

SSVC data provided by CISA

Last Modified 2026-06-23

Source NVD 🔗

CVSS Vector 3.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE IDs (Weakness Types)

CWE-78

📦 Affected Products 6

Vendor	Product	Status	Affected Versions
samba	samba	Affected	> 4.1.0 < 4.2.1
redhat	enterprise_linux	Affected	v10.0
redhat	enterprise_linux	Affected	v7.0
redhat	enterprise_linux	Affected	v8.0
redhat	enterprise_linux	Affected	v9.0
redhat	openshift_container_platform	Affected	v4.0

🔗 References 14

https://access.redhat.com/errata/RHSA-2026:22644

https://access.redhat.com/errata/RHSA-2026:22963

https://access.redhat.com/errata/RHSA-2026:25049

https://access.redhat.com/errata/RHSA-2026:25979

https://access.redhat.com/errata/RHSA-2026:28053

https://access.redhat.com/errata/RHSA-2026:28054

https://access.redhat.com/errata/RHSA-2026:28055

https://access.redhat.com/errata/RHSA-2026:28056

https://access.redhat.com/errata/RHSA-2026:28057

https://access.redhat.com/errata/RHSA-2026:28058

https://access.redhat.com/errata/RHSA-2026:28132

https://access.redhat.com/security/cve/CVE-2026-4480

Mitigation Third Party Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=2452232

Issue Tracking Third Party Advisory

https://bugzilla.samba.org/show_bug.cgi?id=16033

Issue Tracking Vendor Advisory

🔗 Related CVEs 6

CVE ID	Severity	CVSS	EPSS	Summary	Published
CVE-2026-1764	🔶 medium	5.6	0.2	A flaw was found in GNOME localsearch (previously known as tracker-miners) MP3 Extractor. When processing specially craf...	2026-06-16
CVE-2026-1766	🔶 medium	5.6	0.2	A flaw was found in GNOME localsearch (previously known as tracker-miners) MP3 Extractor, specifically within the tracke...	2026-06-16
CVE-2026-1767	🔶 medium	5.6	0.2	A flaw was found in the GNOME localsearch (previously known as tracker-miners) MP3 Extractor `tracker-extract-mp3` compo...	2026-06-16
CVE-2026-11785	🔶 medium	4.3	0.2	A flaw was found in 389 Directory Server. A type confusion in the SSO token extended operation handler causes partial st...	2026-06-09
CVE-2026-11786	ℹ️ low	1.9	0.2	A flaw was found in 389 Directory Server. The LDIF parser reads past the end of a heap buffer when processing attribute ...	2026-06-09
CVE-2026-11787	🔶 medium	5.0	0.2	A flaw was found in 389 Directory Server. The ldap_utf8prev() function reads bytes before the start of a buffer without ...	2026-06-09

These CVEs affect the same products