Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
Local vector confirmed by description; PR:L because sudo delegation (not root) suffices; A:H for catastrophic availability loss; I:L for ownership metadata change without write access.
Primary rating from Vendor (redhat).
CVSS VectorVendor: redhat
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
Lifecycle Timeline
2DescriptionCVE.org
A flaw was found in samba's pam_winbind. When mkhomedir is enabled, pam_winbind chowns the target account's home directory without validating the path is not a critical system directory such as /. On affected systems, accounts with / as their home directory (a common default for system accounts) can have this triggered not only by root, but by a non-root user holding a narrow sudo delegation to run commands as that account, causing ownership of / to change and resulting in severe denial of service (SSH, sudo, and package-manager failures). The change does not grant write access to / (which ships with restrictive 0555 permissions on RHEL), so the impact is availability loss rather than further privilege escalation.
AnalysisAI
Unvalidated chown in Samba's pam_winbind module allows a local user with narrow sudo delegation to transfer ownership of the root filesystem directory to a system account, causing system-wide denial of service on Red Hat Enterprise Linux 6 through 10. When mkhomedir is enabled and a system account has its home directory set to '/', any PAM-triggered authentication event run as that account via sudo invokes the chown without path sanitization. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Three specific conditions must concurrently exist: (1) pam_winbind must be configured with mkhomedir enabled in the PAM stack (a non-default but common configuration in AD-integrated deployments); (2) the target account must have its home directory set to '/' or another critical system path - the description explicitly notes this is a common default for system/service accounts sourced from AD or LDAP; and (3) the attacker must hold a sudo delegation allowing them to execute at least one command as that system account, OR be operating as root. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 6.1 (Medium) with vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H accurately reflects the local-only attack surface and high-severity availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local user on an AD-integrated RHEL system who holds a sudo rule permitting them to run a specific command as the 'backup' service account (whose LDAP-sourced home directory is '/') executes that sudo command, triggering PAM authentication for the 'backup' account. pam_winbind's mkhomedir logic fires, calls chown on '/' to assign ownership to the backup account's UID, and from that point SSH, sudo, and yum/dnf fail system-wide because those tools enforce root ownership on critical filesystem paths, requiring console or out-of-band access for recovery. |
| Remediation | Consult the Red Hat Security Advisory at https://access.redhat.com/security/cve/CVE-2026-15779 for vendor-released errata packages; no exact fixed RPM version could be independently confirmed from the available input data, so treat 'patch available per vendor advisory' as the operative status pending Red Hat errata publication. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Red Hat Enterprise Linux 10
View allRemote code execution in Cockpit's web interface allows unauthenticated attackers to execute arbitrary commands on the h
Remote code execution in Samba's printing subsystem allows remote attackers to inject arbitrary shell commands via craft
Remote code execution and privilege escalation in HPLIP (HP Linux Imaging and Printing) affects the hpcups print filter
HTTP request smuggling in Undertow (the embedded web server underpinning JBoss EAP, Red Hat Data Grid, and Apache Camel
HTTP request smuggling in Red Hat Undertow allows remote unauthenticated attackers to bypass front-end security controls
Out-of-bounds read in the GnuTLS DTLS handshake reassembly logic lets remote unauthenticated attackers trigger an intege
HTTP request smuggling in Undertow allows remote unauthenticated attackers to send `\r\r\r` as a header block terminator
Denial of service in Red Hat / 389 Directory Server (389-ds-base, versions since ~1.3.2/2013) allows an authenticated LD
Local-to-domain-wide root privilege escalation in SSSD's LDAP sudo provider allows an authenticated LDAP directory user
Heap buffer overflow in GStreamer's librfb (RFB/VNC client) allows a malicious VNC server to corrupt heap memory on a co
Information disclosure and denial of service in GnuTLS (libgnutls) let a remote, unauthenticated attacker trigger a heap
Remote denial-of-service in libssh 0.11.x and earlier allows unauthenticated attackers to crash SSH server daemon proces
Same technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44662
GHSA-6fmw-7w5g-3pf9