Critical Samba Printing Flaw Allows Remote Code Execution on Misconfigured Servers
8 min. read 
Published on
The Samba Team has released security fixes for CVE-2026-4480, a remote code execution flaw in the Samba printing subsystem. The official Samba advisory says affected print servers are vulnerable when their smb.conf print command uses the %J substitution character.
The bug can let an attacker send a crafted print job description that injects shell commands into the server’s configured print command. Samba gives the issue a CVSS 3.1 score of 10.0, although some vendor trackers score it lower based on their own affected packages and assumptions.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The issue deserves urgent review because Samba print servers often sit inside business networks, where a successful exploit could give attackers a foothold for lateral movement, data theft, or ransomware deployment.
What CVE-2026-4480 Is
CVE-2026-4480 affects Samba configurations that pass a client-controlled print job description into a shell command through %J. Samba did not properly escape shell metacharacters in that value, which creates an OS command injection path.
The NVD entry describes the flaw as a Samba printing subsystem issue that can let a remote attacker execute code by sending a specially crafted print job description containing unescaped shell characters.
In simple terms, the attacker does not need to break authentication if the print service accepts their job. They only need to reach a vulnerable print configuration and place dangerous shell syntax inside the job description field.
| Item | Details |
|---|---|
| CVE | CVE-2026-4480 |
| Affected component | Samba printing subsystem |
| Vulnerable setting | print command using %J |
| Attack type | Remote command injection |
| Authentication | May not be required where guest printing is allowed |
| Upstream Samba CVSS | 10.0 |
Which Samba Servers Are Affected
The vulnerability is configuration-dependent. A Samba server is exposed if it acts as a print server and uses a print command that includes the %J substitution character.
Servers using printing = cups or printing = iprint are not affected by this specific issue. Servers that do not use %J in the print command setting are also not affected.
The Amazon Linux Security Center repeats the same configuration guidance and notes that Samba print servers allow guest users to print by default, which can increase exposure in some environments.
Fixed Samba Versions Are Available
The Samba Team has issued Samba 4.22.10, 4.23.8, and 4.24.3 as security releases to fix the defect. Administrators should upgrade to the fixed version for their supported release series or apply vendor patches from their Linux distribution.
The Samba security release announcement also covers several other vulnerabilities fixed in the same release set, including another unauthenticated remote code execution issue tracked as CVE-2026-4408.
Organizations should not assume that a server is safe only because it does not expose file shares to the internet. Print services, legacy smb.conf settings, and internal guest access can still create a useful attack path for threat actors already inside a network.
| Release Series | Fixed Version | Action |
|---|---|---|
| Samba 4.22 | 4.22.10 | Upgrade or apply vendor patch |
| Samba 4.23 | 4.23.8 | Upgrade or apply vendor patch |
| Samba 4.24 | 4.24.3 | Upgrade or apply vendor patch |
Why the CVSS Score Can Look Different
Samba’s own advisory lists CVE-2026-4480 with a CVSS 3.1 score of 10.0. That reflects a worst-case upstream assessment where the flaw is reachable over the network without privileges or user interaction.
The NVD listing currently shows a Red Hat CNA score of 8.5, while the Amazon Linux entry lists an Amazon Linux score of 8.1. These differences do not make the issue safe. They reflect vendor-specific scoring decisions and deployment assumptions.
For administrators, the practical priority is clearer than the score difference. Any server with a reachable Samba print service and a print command that includes %J needs immediate attention.
Temporary Mitigations If You Cannot Patch Immediately
The safest workaround is to remove %J from the print command configuration. This removes the client-controlled job description from the shell command path.
The Samba advisory says placing single quotes directly around %J can make exploitation much less likely, but it also warns that command-line option injection may still be possible. Double quotes may not provide enough protection.
Administrators should treat quoting as a short-term risk reduction step, not a replacement for patching. The proper fix is to deploy the updated Samba release or the security update from the operating system vendor.
- Upgrade to Samba 4.22.10, 4.23.8, or 4.24.3 where applicable.
- Apply Linux distribution security updates as soon as they become available.
- Remove %J from the print command setting if patching must wait.
- Use single quotes around %J only as a temporary fallback.
- Do not rely on double quotes as a complete mitigation.
- Disable or restrict guest printing where it is not required.
- Limit network access to Samba print services.
How to Audit Samba Configurations
Security teams should search smb.conf and included configuration files for print command settings that contain %J. They should also identify print shares that allow guest access or accept jobs from untrusted network segments.
The audit should include servers that administrators may consider legacy or internal only. Samba often runs for years in mixed Linux, Unix, and Windows environments, and old print configuration lines can remain in place long after the original business need changes.
Teams should also review distro-specific package status. Some vendors may publish backported fixes under the same major version rather than requiring an immediate jump to the latest upstream Samba release.
| Check | Why It Matters |
|---|---|
| Search for %J in smb.conf | Confirms whether the vulnerable substitution is used |
| Review print command entries | Finds shell commands that receive client-controlled input |
| Check printing backend | CUPS and iPrint configurations are not affected by this issue |
| Review guest printing | Guest print access can lower the barrier to exploitation |
| Check package updates | Vendor packages may include backported fixes |
| Restrict service exposure | Limits who can reach Samba print services |
Other Samba Fixes Landed at the Same Time
CVE-2026-4480 was not the only issue fixed in the late-May Samba security releases. The same set also includes fixes for access-control, WORM module, certificate enrollment, WINS denial-of-service, and another remote code execution issue.
The Samba announcement lists CVE-2026-1933, CVE-2026-2340, CVE-2026-3012, CVE-2026-3238, CVE-2026-4408, and CVE-2026-4480 in the release notes. Samba 4.24.3 release notes also confirm that Samba 4.24.3 is a security release addressing these defects.
This makes the update more important for administrators who run Samba as more than a simple file server. Domain controller, print, WINS, and policy-related features all need review in environments that rely on Samba for Windows interoperability.
What Administrators Should Do Now
Administrators should prioritize internet-facing Samba systems, internal print servers, and servers that accept print jobs from guest users or broad network ranges. Systems that include %J in print command should move to the top of the patch list.
Organizations should also monitor for unusual print job submissions, unexpected shell execution from Samba-related processes, and suspicious outbound connections from print servers. These signals can help identify exploitation attempts or post-exploitation activity.
The Samba 4.24.3 release notes confirm that CVE-2026-4480 was addressed as part of the latest security release, but many organizations will need to wait for distribution packages. Until then, configuration review and access restrictions can reduce risk.
The Bottom Line
CVE-2026-4480 is a serious Samba printing vulnerability, but it does not affect every Samba installation. The most exposed systems are print servers with print command configured to use %J, especially where unauthenticated or guest printing is allowed.
Security teams should patch supported Samba versions quickly, remove risky %J usage where possible, restrict access to print services, and review related Samba fixes released in the same security batch. The issue shows how one legacy configuration option can turn normal print job metadata into a remote command execution path.
FAQ
CVE-2026-4480 is a remote code execution vulnerability in the Samba printing subsystem. It affects Samba print servers that use a print command containing the %J substitution character.
A Samba server is vulnerable when it acts as a print server and its smb.conf print command includes %J. Servers using printing = cups or printing = iprint, and servers without %J in print command, are not affected by this specific issue.
The Samba Team issued Samba 4.22.10, 4.23.8, and 4.24.3 as security releases that fix CVE-2026-4480. Linux distribution vendors may also provide backported fixes through their package repositories.
Yes, it can be exploitable without authentication in configurations where unauthenticated or guest users can submit print jobs to a vulnerable Samba print service.
The strongest workaround is to remove %J from the print command setting. Adding single quotes directly around %J can reduce risk, but Samba warns that this does not fully eliminate command-line option injection risk.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages