Canonical released the USN-8306-1 security notice on 26 May 2026, fixing six vulnerabilities in Samba, the SMB/CIFS file, print and authentication server that sits between many Linux boxes and Windows clients. Two of the flaws lead to arbitrary code execution, so any machine acting as a file server or Active Directory domain controller should be patched without delay.
The notice covers Ubuntu 22.04 LTS, 24.04 LTS, 25.10 and the new 26.04 LTS. Not every CVE touches every release, but the fix is the same across the board: update the Samba package with apt update && apt full-upgrade and restart the relevant services (smbd, nmbd and winbind).
What each CVE does
The two most serious bugs are the ones that lead to code execution:
- CVE-2026-4408 sits in the DCE/RPC SAMR server. Improper handling of password check scripts lets a remote attacker run arbitrary code on the server. It affects every release covered by the notice.
- CVE-2026-4480 lives in the printing subsystem. Poor handling of print commands opens the same code-execution path. Also present in all releases.
The remaining four are lower impact but still worth patching:
- CVE-2026-1933 lets an attacker modify reparse point extended attributes on files that should be read-only, bypassing access control. It only affects 25.10 and 26.04 LTS.
- CVE-2026-2340 is in the
vfs_wormmodule, which makes files immutable (write once, read many). The flaw allows overwriting files that should stay locked. It affects all releases. - CVE-2026-3238 is a denial of service in the WINS server of an Active Directory domain controller, letting a remote attacker crash the service. It affects all releases.
- CVE-2026-3012 is a certificate auto-enrollment flaw that a machine-in-the-middle attacker could use to install a malicious CA certificate. It affects 24.04 LTS, 25.10 and 26.04 LTS.
Who’s affected and how to mitigate
Any Samba deployment serving file shares, acting as a domain controller, or handling print jobs falls within scope. The two code-execution bugs are the reason to act fast, especially when the service is reachable beyond the local network.
Canonical is clear: a standard system update applies all the necessary changes. Nothing needs reconfiguring, just install the patched versions and restart the Samba daemons. If you rely on vfs_worm for data retention or on certificate auto-enrollment, double-check those services still behave after the patch.
For an overview of supported Ubuntu releases and their end-of-life dates, see the Ubuntu page.
Source
- Ubuntu Security Notice USN-8306-1: https://ubuntu.com/security/notices/USN-8306-1
- CVE-2026-4408: https://nvd.nist.gov/vuln/detail/CVE-2026-4408
- CVE-2026-4480: https://nvd.nist.gov/vuln/detail/CVE-2026-4480