{
  "threat_severity" : "Important",
  "public_date" : "2026-05-27T12:08:33Z",
  "bugzilla" : {
    "description" : "samba: Missing access check on reparse point operations",
    "id" : "2447317",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2447317"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.1",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-284",
  "details" : [ "A flaw was found in Samba’s handling of NTFS-style reparse points on shares configured with read only = yes. Due to missing SMB-layer access checks, authenticated users with underlying filesystem write permissions may create or delete reparse point metadata through SMB operations even on read-only exports. This could allow modification of SMB-visible file behavior, including converting files into symbolic links or other reparse point types.", "A flaw was found in Samba’s handling of NTFS-style reparse points on shares configured with read only = yes. Due to missing SMB-layer access checks, authenticated users with underlying filesystem write permissions may create or delete reparse point metadata through SMB operations even on read-only exports. This could allow modification of SMB-visible file behavior, including converting files into symbolic links or other reparse point types." ],
  "statement" : "This vulnerability is rated Important severity by Red Hat Product Security, because authenticated users with filesystem-level write permissions may bypass Samba’s SMB-layer read-only protections for reparse point operations.\nThe flaw affects shares configured with \"read only = yes\", where Samba failed to properly enforce access checks when setting or deleting reparse point metadata. An attacker with existing write permissions on the underlying filesystem may manipulate SMB reparse point metadata to alter how files are presented to SMB clients, including converting files into symbolic links.\nThe vulnerability does not bypass underlying filesystem access controls or grant additional operating system privileges. However, successful exploitation may significantly disrupt file access for users of the affected share, including making large portions of a shared filesystem unavailable through widespread reparse point modification. Because the attack requires authenticated access and existing filesystem write permissions, Privileges Required are assessed as Low (PR:L).\n```\nThis vulnerability affects Samba versions beginning with the introduction of NTFS-style reparse point support in Samba 4.21.\n```",
  "acknowledgement" : "Red Hat would like to thank Asim Viladi Oglu Manizada for reporting this issue.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2026-06-03T00:00:00Z",
    "advisory" : "RHSA-2026:22963",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.2",
    "package" : "samba-0:4.23.5-109.el10_2"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "samba",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "samba4",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Affected",
    "package_name" : "samba",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Affected",
    "package_name" : "samba",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "samba",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Affected",
    "package_name" : "rhcos",
    "cpe" : "cpe:/a:redhat:openshift:4"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-1933\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-1933\nhttps://bugzilla.samba.org/show_bug.cgi?id=15992" ],
  "name" : "CVE-2026-1933",
  "mitigation" : {
    "value" : "Administrators can mitigate this issue by ensuring users who access a read only = yes Samba share do not have filesystem-level write permission to the exported files.\nA server administrator may also monitor and remove unintended \"user.SmbReparse\" xattr (extended attributes) and the associated FILE_ATTRIBUTE_REPARSE_POINT \"user.DosAttrib\" bit metadata if exploitation is suspected.",
    "lang" : "en:us"
  },
  "csaw" : false
}