Cyber Resilience

CVE-2026-4408

CriticalRCEUpdated

Published: 28 May 2026

Published
28 May 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 9.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0250 82.7th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-4408 is a critical-severity OS Command Injection (CWE-78) vulnerability in Redhat Enterprise Linux. Its CVSS base score is 9.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 17.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

A flaw exists in Samba file servers and classic domain controllers that rely on the check password script feature when configured with the %u substitution character. In such cases the client-supplied username is passed to the script without escaping shell meta-characters, enabling operating-system command injection as described by CWE-78. The issue is limited to non-standard deployments in which the check password script uses %u and the samba-dcerpcd service runs as a system service.

An unauthenticated remote attacker can supply a crafted username that results in arbitrary command execution on the affected host, corresponding to the CVSS 9.0 rating that reflects network attack vector, high impact, and changed scope.

Red Hat has published errata RHSA-2026:22644, RHSA-2026:22963, and RHSA-2026:25049 that contain the corrective updates; additional details are available in the associated CVE entry and Bugzilla report 2479762. The EPSS score has remained flat at 0.0102, indicating no material increase in observed exploitation interest since disclosure.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A flaw was found in Samba. A remote attacker can exploit a misconfiguration in Samba file servers and classic domain controllers that use the "check password script" feature. If this script is configured with the %u substitution character, the client-controlled…

more

username is passed without proper escaping of shell meta-characters. This vulnerability allows an attacker to achieve remote command execution on the affected system. This issue primarily affects non-standard configurations where the "check password script" is used with %u and the samba-dcerpcd service is started as a system service.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Direct OS command injection (CWE-78) in public-facing Samba service enables remote code execution via unsanitized input to shell script.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-4480Same product: Redhat Enterprise Linux
CVE-2026-3012Same product: Redhat Enterprise Linux
CVE-2026-1933Same product: Redhat Enterprise Linux
CVE-2018-25115Shared CWE-78
CVE-2025-24382Shared CWE-78
CVE-2026-29058Shared CWE-78
CVE-2024-57016Shared CWE-78
CVE-2024-46484Shared CWE-78
CVE-2015-10145Shared CWE-78
CVE-2020-37002Shared CWE-78

Affected Assets

redhat
openshift container platform
4.0
samba
samba
4.1.0 — 4.21.0
redhat
enterprise linux
6.0, 7.0, 9.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces validation and sanitization of the client-supplied username before it is passed to the check password script, directly blocking shell metacharacter injection.

prevent

Requires timely application of the vendor patches (RHSA-2026:22644 et al.) that eliminate the unsafe %u handling in samba-dcerpcd.

prevent

Mandates secure baseline settings that prohibit use of the check password script with %u or ensure proper escaping in non-standard Samba deployments.

References