{"uuid": "0dbba751-347d-454d-a712-20656debd033", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "name": "Unauthenticated Remote Code Execution in Samba printing subsystem", "description": "===========================================================\n== Subject:     Unauthenticated Remote Code Execution\n==\t\tin Samba printing subsystem\n==\n== CVE ID#:     CVE-2026-4480\n==\n== Versions:    All versions\n==\n== Summary:     Samba print servers with a \"print command\"\n==\t\tthat has the %J substitution character\n==\t\tare vulnerable to a Remote Code Execution\n===========================================================\n\n===========\nDescription\n===========\n\nSamba passes the client-controlled job description string to the\ncommand configured with the \"print command\" setting via the \"%J\"\nsubstitution character without escaping shell meta characters. This\nleads to a remote code execution vulnerability.\n\nPrint servers configured with \"printing = cups\" or \"printing =\niprint\", and print servers that do not have the %J substitution\ncharacter in the \"print command\" setting are not affected.\n\nThe problem is much less dangerous if %J has singles quotes directly\naround it, e.g. '%J', but it's still possible to inject\ncommand line options.\n\nBy default, print servers allow guest users to print.\n\n==================\nPatch Availability\n==================\n\nPatches addressing this issue have been posted to:\n\n    https://www.samba.org/samba/security/\n\nAdditionally, Samba $VERSIONS have been issued\nas security releases to correct the defect.  Samba administrators are\nadvised to upgrade to these releases or apply the patch as soon\nas possible.\n\n==================\nCVSSv3 calculation\n==================\n\nCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H 10.0\n\n==========\nWorkaround\n==========\n\nAdding single quotes (directly!) around %J (=> '%J')\nmakes it much less likely an attacker can do something useful.\nNote using double quotes may not be enough.\n\nIf unsure remove %J completely from the \"print command\" smb.conf\nentry.\n\n=======\nCredits\n=======\n\nOriginally reported by:\n- Ron Ben Yizhak with SafeBreach\n- John Walker with ZeroPath\n- Arjun Basnet with Securin Labs\n\nPatches provided by:\n- Stefan Metzmacher of Sernet and the Samba team.\n- Douglas Bagnall of Catalyst and the Samba team.\n\nThis advisory by Volker Lendecke and Stefan Metzmacher\nof Sernet and the Samba team.\n\n==========================================================\n== Our Code, Our Bugs, Our Responsibility.\n== The Samba Team\n==========================================================", "creation_timestamp": "2026-05-31T14:00:10.719006+00:00", "timestamp": "2026-05-31T14:00:10.719006+00:00", "related_vulnerabilities": ["CVE-2026-4480"], "author": {"login": "adulau", "name": "Alexandre Dulaunoy", "uuid": "c933734a-9be8-4142-889e-26e95c752803"}}