{
  "threat_severity" : "Important",
  "public_date" : "2026-05-27T09:17:49Z",
  "bugzilla" : {
    "description" : "samba: group policy certificate enrollment uses http:// without validation",
    "id" : "2447319",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2447319"
  },
  "cvss3" : {
    "cvss3_base_score" : "8.0",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-345",
  "details" : [ "A flaw was found in Samba’s certificate auto-enrollment Group Policy handling. When certificate auto-enrollment is enabled, Samba may retrieve a CA certificate over an unencrypted HTTP connection and install it into the local trust store without proper verification. An attacker with the ability to intercept or redirect network traffic could exploit this behavior to supply a malicious certificate authority certificate, potentially allowing interception or spoofing of trusted communications.", "A flaw was found in Samba’s certificate auto-enrollment Group Policy handling. When certificate auto-enrollment is enabled, Samba may retrieve a CA certificate over an unencrypted HTTP connection and install it into the local trust store without proper verification. An attacker with the ability to intercept or redirect network traffic could exploit this behavior to supply a malicious certificate authority certificate, potentially allowing interception or spoofing of trusted communications." ],
  "statement" : "Red Hat Product Security has rated this vulnerability as Important severity. \nHowever, exploitation requires several specific non-default conditions to be met. The vulnerable code path is only reachable when Samba Group Policy processing is explicitly enabled using the ```apply group policies = yes``` configuration option and certificate auto-enrollment is configured through Group Policy.\nHence, although the vulnerable code is present, it is not exploitable in default RHEL configurations. \nIn addition, the attacker must have the ability to intercept or redirect adjacent-network HTTP traffic during certificate retrieval. Because exploitation depends on explicit administrative configuration changes and adjacent-network positioning, Red Hat assesses the attack complexity as High (AC:H).",
  "acknowledgement" : "Red Hat would like to thank Arad Inbar (DREAM Security Research Team), Ben Grinberg (DREAM Security Research Team), Michalis Vasileiadis, and Nir Somech (DREAM Security Research Team) for reporting this issue.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2026-06-03T00:00:00Z",
    "advisory" : "RHSA-2026:22963",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.2",
    "package" : "samba-0:4.23.5-109.el10_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2026-06-03T00:00:00Z",
    "advisory" : "RHSA-2026:22644",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "samba-0:4.19.4-16.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2026-06-03T00:00:00Z",
    "advisory" : "RHSA-2026:22644",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "samba-0:4.19.4-16.el8_10"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "samba",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "samba4",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Affected",
    "package_name" : "samba",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "samba",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Affected",
    "package_name" : "rhcos",
    "cpe" : "cpe:/a:redhat:openshift:4"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-3012\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-3012\nhttps://bugzilla.samba.org/show_bug.cgi?id=16003" ],
  "name" : "CVE-2026-3012",
  "mitigation" : {
    "value" : "Systems are not affected unless Samba Group Policy processing and certificate auto-enrollment are explicitly enabled.\nAdministrators can reduce exposure by:\nAvoiding unnecessary use of certificate auto-enrollment.\nEnsuring your \"smb.conf\" does not contain a line like ```apply group policies = yes```. If , group policy is not be enabled, the vulnerable code will not run.\nIntercepting the HTTP request requires some control over the local network or other devices to intercept or redirect traffic. Some network administrators might assess this as a low risk on their\nnetworks.",
    "lang" : "en:us"
  },
  "csaw" : false
}