DEBIAN-CVE-2026-2340

Advisory lineage Upstream: 1 Downstream: 0

Upstream

CVE-2026-2340

Published: 27 May 2026, 14:16

Last modified:28 May 2026, 09:00

Vulnerability Summary

Overall Risk (default)

medium

26/100

CVSS Score

6.5 MEDIUM

3.1 (osv_debian)

EPSS Score

No data

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

27 May 2026, 14:16

Published

Vulnerability first disclosed

28 May 2026, 09:00

Last Modified

Vulnerability information updated

Description

A flaw was found in Samba’s vfs_worm module. The module is intended to provide write-once, read-many (WORM) protections by preventing modification of files after a configurable grace period. Due to insufficient validation during rename operations, an authenticated user with write access to a share could overwrite a protected file by renaming a newly created file over the existing WORM-protected file.

CVSS Metrics

v3.1•MEDIUM•Score: 6.5CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Affected Systems

debian•samba
all | < 2:4.17.12+dfsg-0+deb12u4 | < 2:4.22.8+dfsg-0+deb13u2 | all

References (1)

https://security-tracker.debian.org/tracker/CVE-2026-2340