Skip to main content

Samba pam_winbind EUVDEUVD-2026-44662

| CVE-2026-15779 MEDIUM
Incorrect Permission Assignment for Critical Resource (CWE-732)
2026-07-15 redhat GHSA-6fmw-7w5g-3pf9
6.1
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
6.1 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
vuln.today AI
6.1 MEDIUM

Local vector confirmed by description; PR:L because sudo delegation (not root) suffices; A:H for catastrophic availability loss; I:L for ownership metadata change without write access.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
4.0 AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jul 15, 2026 - 13:24 vuln.today
CVE Published
Jul 15, 2026 - 12:33 nvd
MEDIUM 6.1

DescriptionCVE.org

A flaw was found in samba's pam_winbind. When mkhomedir is enabled, pam_winbind chowns the target account's home directory without validating the path is not a critical system directory such as /. On affected systems, accounts with / as their home directory (a common default for system accounts) can have this triggered not only by root, but by a non-root user holding a narrow sudo delegation to run commands as that account, causing ownership of / to change and resulting in severe denial of service (SSH, sudo, and package-manager failures). The change does not grant write access to / (which ships with restrictive 0555 permissions on RHEL), so the impact is availability loss rather than further privilege escalation.

AnalysisAI

Unvalidated chown in Samba's pam_winbind module allows a local user with narrow sudo delegation to transfer ownership of the root filesystem directory to a system account, causing system-wide denial of service on Red Hat Enterprise Linux 6 through 10. When mkhomedir is enabled and a system account has its home directory set to '/', any PAM-triggered authentication event run as that account via sudo invokes the chown without path sanitization. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify system account with '/' as home dir
Delivery
Confirm mkhomedir enabled in pam_winbind config
Exploit
Use existing sudo delegation to invoke command as that account
Execution
PAM triggers pam_winbind mkhomedir
Persist
chown '/' to account UID without path validation
Impact
SSH, sudo, package manager fail system-wide

Vulnerability AssessmentAI

Exploitation Three specific conditions must concurrently exist: (1) pam_winbind must be configured with mkhomedir enabled in the PAM stack (a non-default but common configuration in AD-integrated deployments); (2) the target account must have its home directory set to '/' or another critical system path - the description explicitly notes this is a common default for system/service accounts sourced from AD or LDAP; and (3) the attacker must hold a sudo delegation allowing them to execute at least one command as that system account, OR be operating as root. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 6.1 (Medium) with vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H accurately reflects the local-only attack surface and high-severity availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local user on an AD-integrated RHEL system who holds a sudo rule permitting them to run a specific command as the 'backup' service account (whose LDAP-sourced home directory is '/') executes that sudo command, triggering PAM authentication for the 'backup' account. pam_winbind's mkhomedir logic fires, calls chown on '/' to assign ownership to the backup account's UID, and from that point SSH, sudo, and yum/dnf fail system-wide because those tools enforce root ownership on critical filesystem paths, requiring console or out-of-band access for recovery.
Remediation Consult the Red Hat Security Advisory at https://access.redhat.com/security/cve/CVE-2026-15779 for vendor-released errata packages; no exact fixed RPM version could be independently confirmed from the available input data, so treat 'patch available per vendor advisory' as the operative status pending Red Hat errata publication. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-4631 CRITICAL POC
9.8 Apr 07

Remote code execution in Cockpit's web interface allows unauthenticated attackers to execute arbitrary commands on the h

CVE-2026-4480 CRITICAL POC
9.0 May 26

Remote code execution in Samba's printing subsystem allows remote attackers to inject arbitrary shell commands via craft

CVE-2026-14544 CRITICAL
9.8 Jul 03

Remote code execution and privilege escalation in HPLIP (HP Linux Imaging and Printing) affects the hpcups print filter

CVE-2026-28369 CRITICAL
9.1 Mar 27

HTTP request smuggling in Undertow (the embedded web server underpinning JBoss EAP, Red Hat Data Grid, and Apache Camel

CVE-2026-28368 CRITICAL
9.1 Mar 27

HTTP request smuggling in Red Hat Undertow allows remote unauthenticated attackers to bypass front-end security controls

CVE-2026-33845 CRITICAL
9.1 Apr 30

Out-of-bounds read in the GnuTLS DTLS handshake reassembly logic lets remote unauthenticated attackers trigger an intege

CVE-2026-28367 CRITICAL
9.1 Mar 27

HTTP request smuggling in Undertow allows remote unauthenticated attackers to send `\r\r\r` as a header block terminator

CVE-2026-11610 HIGH
8.8 Jul 07

Denial of service in Red Hat / 389 Directory Server (389-ds-base, versions since ~1.3.2/2013) allows an authenticated LD

CVE-2026-14474 HIGH
8.8 Jul 07

Local-to-domain-wide root privilege escalation in SSSD's LDAP sudo provider allows an authenticated LDAP directory user

CVE-2026-52720 HIGH
8.8 Jun 15

Heap buffer overflow in GStreamer's librfb (RFB/VNC client) allows a malicious VNC server to corrupt heap memory on a co

CVE-2026-5260 HIGH
8.2 May 26

Information disclosure and denial of service in GnuTLS (libgnutls) let a remote, unauthenticated attacker trigger a heap

CVE-2026-0966 HIGH
8.2 Mar 26

Remote denial-of-service in libssh 0.11.x and earlier allows unauthenticated attackers to crash SSH server daemon proces

Share

EUVD-2026-44662 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy