Copyright © 2012 Red Hat, Inc. All rights reserved. Moderate 2026-05-27T10:35:47 samba: vfs_worm does not block directory modification 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N CWE-280

A flaw was found in Samba’s vfs_worm module. The module is intended to provide write-once, read-many (WORM) protections by preventing modification of files after a configurable grace period. Due to insufficient validation during rename operations, an authenticated user with write access to a share could overwrite a protected file by renaming a newly created file over the existing WORM-protected file.

A flaw was found in Samba’s vfs_worm module. The module is intended to provide write-once, read-many (WORM) protections by preventing modification of files after a configurable grace period. Due to insufficient validation during rename operations, an authenticated user with write access to a share could overwrite a protected file by renaming a newly created file over the existing WORM-protected file.

This vulnerability is rated Moderate severity because exploitation requires authenticated write access to a Samba share already configured to permit file creation and modification. The flaw affects the vfs_worm module, which provides additional immutability protections for files after a configurable grace period. Due to improper handling of rename operations, a user with existing write permissions could overwrite files that should have become immutable under the WORM policy. The vulnerability does not bypass underlying filesystem access controls or grant additional privileges beyond those already assigned to the authenticated user. However, because the primary purpose of the vfs_worm module is to protect file integrity, the ability to modify protected files results in a high integrity impact. Red Hat would like to thank Pavel Kohout (Aisle Research) for reporting this issue. Administrators can mitigate this issue by: Setting read-only permissions on protected files at the underlying filesystem level will prevent modifications. Configuring ```worm:grace_period = 0``` (zero or less) in smb.conf will eliminate the writable grace period (will eliminate the window in which the rename can happen), understanding that this may impact workflows requiring multi-step file creation. Red Hat Enterprise Linux 10 2026-06-03T00:00:00Z RHSA-2026:22963 samba-0:4.23.5-109.el10_2 Red Hat Enterprise Linux 6 Out of support scope samba Red Hat Enterprise Linux 6 Out of support scope samba4 Red Hat Enterprise Linux 7 Affected samba Red Hat Enterprise Linux 8 Affected samba Red Hat Enterprise Linux 9 Affected samba Red Hat OpenShift Container Platform 4 Affected rhcos https://www.cve.org/CVERecord?id=CVE-2026-2340 https://nvd.nist.gov/vuln/detail/CVE-2026-2340 https://bugzilla.samba.org/show_bug.cgi?id=15997