CVE-2026-4408
Published: 28 May 2026
Summary
CVE-2026-4408 is a critical-severity OS Command Injection (CWE-78) vulnerability in Redhat Enterprise Linux. Its CVSS base score is 9.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 17.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
A flaw exists in Samba file servers and classic domain controllers that rely on the check password script feature when configured with the %u substitution character. In such cases the client-supplied username is passed to the script without escaping shell meta-characters, enabling operating-system command injection as described by CWE-78. The issue is limited to non-standard deployments in which the check password script uses %u and the samba-dcerpcd service runs as a system service.
An unauthenticated remote attacker can supply a crafted username that results in arbitrary command execution on the affected host, corresponding to the CVSS 9.0 rating that reflects network attack vector, high impact, and changed scope.
Red Hat has published errata RHSA-2026:22644, RHSA-2026:22963, and RHSA-2026:25049 that contain the corrective updates; additional details are available in the associated CVE entry and Bugzilla report 2479762. The EPSS score has remained flat at 0.0102, indicating no material increase in observed exploitation interest since disclosure.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-32741
Vulnerability details
A flaw was found in Samba. A remote attacker can exploit a misconfiguration in Samba file servers and classic domain controllers that use the "check password script" feature. If this script is configured with the %u substitution character, the client-controlled…
more
username is passed without proper escaping of shell meta-characters. This vulnerability allows an attacker to achieve remote command execution on the affected system. This issue primarily affects non-standard configurations where the "check password script" is used with %u and the samba-dcerpcd service is started as a system service.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct OS command injection (CWE-78) in public-facing Samba service enables remote code execution via unsanitized input to shell script.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces validation and sanitization of the client-supplied username before it is passed to the check password script, directly blocking shell metacharacter injection.
Requires timely application of the vendor patches (RHSA-2026:22644 et al.) that eliminate the unsafe %u handling in samba-dcerpcd.
Mandates secure baseline settings that prohibit use of the check password script with %u or ensure proper escaping in non-standard Samba deployments.