Vulnerabilities ›

CVE-2026-2340

Medium

CWE-280 — Weakness Type

                    Published: May 27, 2026                      ·  Modified: May 30, 2026                      ·  Source: NVD                

CVSS v3

6.5

🔗 NVD Official

📄 Description (English)

A flaw was found in Samba’s vfs_worm module. The module is intended to provide write-once, read-many (WORM) protections by preventing modification of files after a configurable grace period. Due to insufficient validation during rename operations, an authenticated user with write access to a share could overwrite a protected file by renaming a newly created file over the existing WORM-protected file.

🤖 AI Executive Summary

CVE-2026-2340 is a medium-severity vulnerability in Samba's vfs_worm module that allows authenticated users to bypass write-once, read-many (WORM) protections by renaming files over protected content. This affects organizations relying on Samba for compliance-critical file storage, particularly in regulated sectors. While no exploit is currently available, the vulnerability requires authentication and could enable data tampering in compliance-sensitive environments.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: May 30, 2026 06:54

🇸🇦 Saudi Arabia Impact Assessment

Saudi organizations using Samba for compliance-critical file storage face significant risk, particularly: (1) Banking sector (SAMA-regulated institutions) storing audit logs and transaction records requiring immutability; (2) Government agencies (NCA oversight) maintaining classified documents and compliance records; (3) Healthcare providers (MOH-regulated) storing patient records under HIPAA-equivalent requirements; (4) Energy sector (ARAMCO, SEC) maintaining operational technology documentation; (5) Telecom operators (STC, Mobily) storing billing and customer data. The vulnerability directly undermines WORM compliance controls required by Saudi regulatory frameworks.

🏢 Affected Saudi Sectors

Banking and Financial Services Government and Public Administration Healthcare and Medical Services Energy and Utilities Telecommunications Legal and Compliance Services Education and Research

🎯 MITRE ATT&CK Techniques

T1485 - Data Destruction T1565 - Data Manipulation T1565.001 - Data Manipulation: Stored Data Manipulation T1070 - Indicator Removal T1070.004 - Indicator Removal: File Deletion T1550 - Use Alternate Authentication Material T1550.001 - Use Alternate Authentication Material: Application Access Token

⚖️ Saudi Risk Score (AI)

6.8

/ 10.0

🔧 Remediation Steps (English)

Immediate Actions:

1. Identify all Samba deployments using vfs_worm module: grep -r 'vfs objects.*worm' /etc/samba/

2. Restrict write access to WORM-protected shares to only essential users

3. Implement file-level access controls and audit logging on affected shares

4. Monitor rename operations on WORM-protected directories using auditd rules



Patching Guidance:

1. Monitor Samba security advisories at https://www.samba.org/samba/security/ for patch availability

2. Plan immediate patching upon release for all affected RHEL versions (7, 8, 9, 10)

3. Test patches in non-production environments before deployment



Compensating Controls (until patch available):

1. Disable vfs_worm module if not actively required: comment out 'vfs objects = worm' in smb.conf

2. Implement filesystem-level immutability using chattr +i on critical files

3. Use SELinux policies to restrict rename operations on protected directories

4. Deploy file integrity monitoring (AIDE/Tripwire) on WORM-protected shares

5. Implement network-level controls restricting access to Samba shares



Detection Rules:

1. Auditd rule: -w /path/to/worm/share -p wa -k worm_rename_audit

2. Monitor Samba logs for 'rename' operations on protected files

3. Alert on any file modifications within WORM grace period

4. Track user accounts with write access to WORM shares and audit their activities

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. تحديد جميع نشرات Samba التي تستخدم وحدة vfs_worm: grep -r 'vfs objects.*worm' /etc/samba/

2. تقييد الوصول للكتابة إلى المشاركات المحمية بـ WORM للمستخدمين الأساسيين فقط

3. تنفيذ عناصر تحكم الوصول على مستوى الملف وتسجيل التدقيق على المشاركات المتأثرة

4. مراقبة عمليات إعادة التسمية على الدلائل المحمية بـ WORM باستخدام قواعد auditd

إرشادات التصحيح:

1. مراقبة تنبيهات أمان Samba على https://www.samba.org/samba/security/ لتوفر التصحيح

2. التخطيط للتصحيح الفوري عند الإصدار لجميع إصدارات RHEL المتأثرة (7، 8، 9، 10)

3. اختبار التصحيحات في بيئات غير الإنتاج قبل النشر

عناصر التحكم البديلة (حتى توفر التصحيح):

1. تعطيل وحدة vfs_worm إذا لم تكن مطلوبة بنشاط: قم بتعليق 'vfs objects = worm' في smb.conf

2. تنفيذ عدم القابلية للتغيير على مستوى نظام الملفات باستخدام chattr +i على الملفات الحرجة

3. استخدام سياسات SELinux لتقييد عمليات إعادة التسمية على الدلائل المحمية

4. نشر مراقبة سلامة الملفات (AIDE/Tripwire) على المشاركات المحمية بـ WORM

5. تنفيذ عناصر تحكم على مستوى الشبكة تقيد الوصول إلى مشاركات Samba

قواعد الكشف:

1. قاعدة Auditd: -w /path/to/worm/share -p wa -k worm_rename_audit

2. مراقبة سجلات Samba لعمليات 'إعادة التسمية' على الملفات المحمية

3. تنبيه على أي تعديلات ملفات ضمن فترة grace الخاصة بـ WORM

4. تتبع حسابات المستخدمين التي لها وصول للكتابة إلى مشاركات WORM وتدقيق أنشطتهم

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

ECC 2024 A.8.2.1 - User access management and authentication ECC 2024 A.8.2.3 - Access rights review and management ECC 2024 A.12.4.1 - Event logging and monitoring ECC 2024 A.12.4.3 - Protection of log information ECC 2024 A.13.1.1 - Information transfer policies and procedures

🔵 SAMA CSF

SAMA CSF ID.AM-2 - Software inventory and asset management SAMA CSF PR.AC-1 - Access control and authentication mechanisms SAMA CSF PR.AC-3 - Access enforcement and least privilege SAMA CSF DE.CM-1 - System monitoring and anomaly detection SAMA CSF DE.CM-3 - Unauthorized activity detection

🟡 ISO 27001:2022

ISO 27001:2022 A.5.15 - Access control ISO 27001:2022 A.8.2 - User access management ISO 27001:2022 A.8.3 - User responsibilities ISO 27001:2022 A.12.4 - Logging ISO 27001:2022 A.13.1 - Network security

🟣 PCI DSS v4.0.1

PCI DSS 2.4 - Configuration standards for system components PCI DSS 7.1 - Limit access to system components by business need PCI DSS 10.2 - Implement automated audit trails for access to cardholder data

🔗 References & Sources 3

🔗

https://access.redhat.com/security/cve/CVE-2026-2340

secalert@redhat.com

Mitigation Third Party Advisory

🔗

https://bugzilla.redhat.com/show_bug.cgi?id=2447318

secalert@redhat.com

Issue Tracking Third Party Advisory

🔗

https://bugzilla.samba.org/show_bug.cgi?id=15997

secalert@redhat.com

Issue Tracking Vendor Advisory

📦 Affected Products / CPE 6 entries

redhat:openshift_container_platform:4.0

samba:samba

redhat:enterprise_linux:7.0

redhat:enterprise_linux:8.0

redhat:enterprise_linux:9.0

redhat:enterprise_linux:10.0

📊 CVSS Score

6.5

/ 10.0 — Medium

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredL — Low / Local

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityN — None / Network

IntegrityH — High

AvailabilityN — None / Network

📋 Quick Facts

Severity Medium

CVSS Score6.5

CWECWE-280

EPSS0.03%

Exploit No

Patch ✗ No

Published 2026-05-27

Source Feed nvd

🇸🇦 Saudi Risk Score

6.8

/ 10.0 — Saudi Risk

Priority: HIGH

🏷️ Tags

CWE-280

🏢 Vendor Advisories

🔗 https://bugzilla.samba.org/show_bug.cgi?id=15997

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

CVE-2026-2340

Introduce Yourself

Sign In Required