DEBIAN-CVE-2026-1933

Advisory lineage Upstream: 1 Downstream: 0

Upstream

CVE-2026-1933

Published: 27 May 2026, 14:16

Last modified:28 May 2026, 09:00

Vulnerability Summary

Overall Risk (default)

medium

28/100

CVSS Score

7.1 HIGH

3.1 (osv_debian)

EPSS Score

No data

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

27 May 2026, 14:16

Published

Vulnerability first disclosed

28 May 2026, 09:00

Last Modified

Vulnerability information updated

Description

A flaw was found in Samba’s handling of NTFS-style reparse points on shares configured with read only = yes. Due to missing SMB-layer access checks, authenticated users with underlying filesystem write permissions may create or delete reparse point metadata through SMB operations even on read-only exports. This could allow modification of SMB-visible file behavior, including converting files into symbolic links or other reparse point types.

CVSS Metrics

v3.1•HIGH•Score: 7.1CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

Affected Systems

debian•samba
< 2:4.22.8+dfsg-0+deb13u2 | all

References (1)

https://security-tracker.debian.org/tracker/CVE-2026-1933