Skip to main content

Samba vfs_worm CVE-2026-2340

| EUVDEUVD-2026-32312 MEDIUM
Improper Handling of Insufficient Permissions or Privileges (CWE-280)
2026-05-27 secalert@redhat.com GHSA-m6w2-p258-gxqp
6.5
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
SUSE
MEDIUM
qualitative
Red Hat
6.5 MEDIUM
qualitative

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 27, 2026 - 21:34 vuln.today

DescriptionCVE.org

A flaw was found in Samba’s vfs_worm module. The module is intended to provide write-once, read-many (WORM) protections by preventing modification of files after a configurable grace period. Due to insufficient validation during rename operations, an authenticated user with write access to a share could overwrite a protected file by renaming a newly created file over the existing WORM-protected file.

AnalysisAI

WORM protection bypass in Samba's vfs_worm VFS module allows authenticated share users to defeat data retention controls by renaming a newly created file over an existing WORM-protected file. Affected users are those operating Samba deployments that have explicitly enabled the vfs_worm module for write-once, read-many data protection - such as compliance, archival, or audit log shares. An attacker with low-privilege write access can silently overwrite files that should be immutable post-grace-period, with high integrity impact (CVSS I:H). No public exploit or CISA KEV listing is identified at time of analysis.

Technical ContextAI

Samba's Virtual File System (VFS) layer supports pluggable modules that intercept filesystem operations. The vfs_worm module is one such plugin, designed to enforce WORM semantics: once a file's configurable grace period expires, write operations to it are blocked. The vulnerability arises from CWE-280 (Improper Handling of Insufficient Permissions or Privileges) - specifically, the module's permission validation logic does not correctly handle rename(2) system calls that target a protected file. A rename that resolves to an existing WORM-protected destination is not subjected to the same immutability check applied to direct write operations, creating a logic gap between the rename path and the write-protection enforcement path. The underlying Samba VFS dispatch for rename operations was reported via Samba bugzilla #15997 and Red Hat Bugzilla #2447318, both linked from NVD. No CPE strings were supplied with this advisory, so exact version ranges are not confirmed from the provided data.

RemediationAI

No vendor-released patch version was identified in the provided data at time of analysis - the upstream bug report at https://bugzilla.samba.org/show_bug.cgi?id=15997 should be monitored for fix commits and patched release announcements. As a primary compensating control, organizations should evaluate whether the vfs_worm module is strictly necessary; if not, disabling it removes the attack surface entirely (note: this also removes WORM protections, which may violate compliance requirements). If vfs_worm must remain enabled, restricting write access to WORM shares to only the minimum required user accounts via Samba share-level ACLs (valid users, write list) limits the pool of potential attackers to explicitly authorized principals. Filesystem-level WORM enforcement provided by the underlying storage platform (e.g., NetApp SnapLock, ZFS immutability flags, object-lock on S3-compatible backends) can serve as a defense-in-depth layer that does not rely on Samba's VFS module. Red Hat's advisory at https://access.redhat.com/security/cve/CVE-2026-2340 should be consulted for distribution-specific package updates.

CVE-2015-8103 CRITICAL POC
9.8 Nov 25

The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary co

CVE-2021-4104 HIGH
7.5 Dec 14

JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Lo

CVE-2024-6387 HIGH POC
8.1 Jul 01

Remote code execution in OpenSSH's sshd server (regression of CVE-2006-5051) allows unauthenticated remote attackers to

CVE-2023-48795 MEDIUM POC
5.9 Dec 18

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remot

CVE-2025-26465 MEDIUM
6.8 Feb 18

A vulnerability was found in OpenSSH when the VerifyHostKeyDNS option is enabled. Rated medium severity (CVSS 6.8), this

CVE-2019-7609 CRITICAL POC
10.0 Mar 25

Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. Rated criti

CVE-2019-1003029 CRITICAL POC
9.9 Mar 08

A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.53 and earlier in src/main/java/org/jenkinsci/

CVE-2018-1000861 CRITICAL POC
9.8 Dec 10

A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and ea

CVE-2019-1003002 HIGH POC
8.8 Jan 22

A sandbox bypass vulnerability exists in Pipeline: Declarative Plugin 1.3.3 and earlier in. Rated high severity (CVSS 8.

CVE-2019-1003001 HIGH POC
8.8 Jan 22

A sandbox bypass vulnerability exists in Pipeline: Groovy Plugin 2.61 and earlier in src/main/java/org/jenkinsci/plugins

CVE-2019-1003000 HIGH POC
8.8 Jan 22

A sandbox bypass vulnerability exists in Script Security Plugin 1.49 and earlier in src/main/java/org/jenkinsci/plugins/

CVE-2024-12085 HIGH POC
7.5 Jan 14

A flaw was found in rsync which could be triggered when rsync compares file checksums. Rated high severity (CVSS 7.5), t

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
Image SLES12-SP5-Azure-BYOS Image SLES12-SP5-Azure-Standard-On-Demand Image SLES12-SP5-EC2-BYOS Image SLES12-SP5-EC2-ECS-On-Demand Image SLES12-SP5-EC2-On-Demand Image SLES12-SP5-GCE-BYOS Image SLES12-SP5-GCE-On-Demand Affected
Image SLES15-SP7-HPC-Azure Affected
SUSE Enterprise Storage 7.1 Fixed
SUSE Linux Enterprise Desktop 15 SP7 SUSE Linux Enterprise High Performance Computing 15 SP7 SUSE Linux Enterprise Module for Basesystem 15 SP7 SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 12 SP5 Fixed

Share

CVE-2026-2340 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy