CVE-2026-1933
Public on 2026-05-26
Modified on 2026-05-26
Description
Starting with Samba 4.21, users can create and delete NTFS-style
reparse points (https://en.wikipedia.org/wiki/NTFS_reparse_point) via
the SMB protocol. The Reparse Point Metadata is stored in an extended
attribute named "user.SmbReparse" together with the
FILE_ATTRIBUTE_REPARSE_POINT bit in the user.DosAttrib xattr.
Writing to these xattrs requires file-system level write
permissions.
File systems exported by Samba are marked "read only = yes" by
default, so even users who have write permissions on the exported
files should not be able modify them via SMB. For setting and deleting
the reparse point xattr, the required user-space access checks are
missing, so that users with file-system level write permissions are
able to modify the "user.SmbReparse" xattr even on exports marked as
read only.
The most prominent use of reparse points is the SMB representation of
symbolic links. This vulnerability means that users can turn existing
files where they have write permissions into symlinks as seen by
Windows and Linux clients even on exports marked as "read only = yes".
An attacker can also make an entire file system under the same
conditions unavailable to normal users by turning all existing files
into symlinks or other types of reparse points. This is not a
permanent condition, a server administrator can remove the
"user.SmbReparse" xattr and the FILE_ATTRIBUTE_REPARSE_POINT
"user.DosAttrib" bit.
reparse points (https://en.wikipedia.org/wiki/NTFS_reparse_point) via
the SMB protocol. The Reparse Point Metadata is stored in an extended
attribute named "user.SmbReparse" together with the
FILE_ATTRIBUTE_REPARSE_POINT bit in the user.DosAttrib xattr.
Writing to these xattrs requires file-system level write
permissions.
File systems exported by Samba are marked "read only = yes" by
default, so even users who have write permissions on the exported
files should not be able modify them via SMB. For setting and deleting
the reparse point xattr, the required user-space access checks are
missing, so that users with file-system level write permissions are
able to modify the "user.SmbReparse" xattr even on exports marked as
read only.
The most prominent use of reparse points is the SMB representation of
symbolic links. This vulnerability means that users can turn existing
files where they have write permissions into symlinks as seen by
Windows and Linux clients even on exports marked as "read only = yes".
An attacker can also make an entire file system under the same
conditions unavailable to normal users by turning all existing files
into symlinks or other types of reparse points. This is not a
permanent condition, a server administrator can remove the
"user.SmbReparse" xattr and the FILE_ATTRIBUTE_REPARSE_POINT
"user.DosAttrib" bit.
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 2 - Core | samba | Not Affected | ||
| Amazon Linux 2023 | samba | Not Affected |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 7.1 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H |