CVE-2026-4480
Public on 2026-05-26
Modified on 2026-05-26
Description
Samba passes the client-controlled job description string to the
command configured with the "print command" setting via the "%J"
substitution character without escaping shell meta characters. This
leads to a remote code execution vulnerability.
Print servers configured with "printing = cups" or "printing =
iprint", and print servers that do not have the %J substitution
character in the "print command" setting are not affected.
The problem is much less dangerous if %J has single quotes directly
around it, e.g. '%J', but it's still possible to inject
command line options.
By default, print servers allow guest users to print.
command configured with the "print command" setting via the "%J"
substitution character without escaping shell meta characters. This
leads to a remote code execution vulnerability.
Print servers configured with "printing = cups" or "printing =
iprint", and print servers that do not have the %J substitution
character in the "print command" setting are not affected.
The problem is much less dangerous if %J has single quotes directly
around it, e.g. '%J', but it's still possible to inject
command line options.
By default, print servers allow guest users to print.
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 2 - Core | samba | Pending Fix | ||
| Amazon Linux 2023 | samba | Pending Fix |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 8.1 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |