=========================================================== == Subject: Unauthenticated Remote Code Execution == in Samba printing subsystem == == CVE ID#: CVE-2026-4480 == == Versions: All versions == == Summary: Samba print servers with a "print command" == that has the %J substitution character == are vulnerable to a Remote Code Execution ===========================================================

=========== Description ===========

Samba passes the client-controlled job description string to the command configured with the "print command" setting via the "%J" substitution character without escaping shell meta characters. This leads to a remote code execution vulnerability.

Print servers configured with "printing = cups" or "printing = iprint", and print servers that do not have the %J substitution character in the "print command" setting are not affected.

The problem is much less dangerous if %J has singles quotes directly around it, e.g. '%J', but it's still possible to inject command line options.

By default, print servers allow guest users to print.

================== Patch Availability ==================

Patches addressing this issue have been posted to:

https://www.samba.org/samba/security/

Additionally, Samba $VERSIONS have been issued as security releases to correct the defect. Samba administrators are advised to upgrade to these releases or apply the patch as soon as possible.

================== CVSSv3 calculation ==================

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H 10.0

========== Workaround ==========

Adding single quotes (directly!) around %J (=> '%J') makes it much less likely an attacker can do something useful. Note using double quotes may not be enough.

If unsure remove %J completely from the "print command" smb.conf entry.

======= Credits =======

Originally reported by: - Ron Ben Yizhak with SafeBreach - John Walker with ZeroPath - Arjun Basnet with Securin Labs

Patches provided by: - Stefan Metzmacher of Sernet and the Samba team. - Douglas Bagnall of Catalyst and the Samba team.

This advisory by Volker Lendecke and Stefan Metzmacher of Sernet and the Samba team.

========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ==========================================================