SAMBA+ 4.24.3, 4.23.8 and 4.22.10 packages have just been released by SerNet. These are important security releases, please update affected systems as soon as possible. The packages are available for various SUSE and Red Hat platforms as well as for Debian GNU/Linux, Ubuntu and AIX.
The packages address the following issues:
- CVE-2026-1933: Missing access checks on reparse point operations
https://www.samba.org/samba/security/CVE-2026-1933.html - CVE-2026-2340: WORM vfs module does not block overwrites
https://www.samba.org/samba/security/CVE-2026-2340.html - CVE-2026-3012: auto-enrollment GPO installing CA certificate over http without verification
https://www.samba.org/samba/security/CVE-2026-3012.html - CVE-2026-3238: Denial of service against AD DC WINS server
https://www.samba.org/samba/security/CVE-2026-3238.html - CVE-2026-4408: Unauthenticated Remote Code Execution in Samba DCE/RPC SAMR server
https://www.samba.org/samba/security/CVE-2026-4408.html - CVE-2026-4480: Unauthenticated Remote Code Execution in Samba printing subsystem
https://www.samba.org/samba/security/CVE-2026-4480.html
Instructions for package access and upgrading are available in the SAMBA+ How-to collection. If you are upgrading from a SAMBA+ version older than 4.21 and use your own or third-party scripts that rely on Samba’s Python modules, you must install the sernet-samba-python3 package after upgrading on Debian or Ubuntu systems. RHEL and SUSE-based systems are not affected.
SAMBA+ packages are available as software subscriptions in the SAMBA+ shops:
- SAMBA+ Shop World (currency EUR)
- SAMBA+ Shop US (currency USD)
For further questions or to request a quote, please contact us.
