CVE-2026-2340 - Vulnerability Details

- Samba: vfs_worm does not block directory modification

Description

A flaw was found in Samba’s vfs_worm module. The module is intended to provide write-once, read-many (WORM) protections by preventing modification of files after a configurable grace period. Due to insufficient validation during rename operations, an authenticated user with write access to a share could overwrite a protected file by renaming a newly created file over the existing WORM-protected file.

Published: 2026-05-27

Score: 6.5 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

A flaw in Samba’s vfs_worm module allows an authenticated user with write access to a share to overwrite a protected file by renaming a new file over the existing WORM-protected file due to insufficient validation of rename operations. This undermines the core purpose of WORM protection, which is to enforce file immutability after a grace period, and exposes the system to intentional data tampering and loss of compliance guarantees. The weakness is classified as CWE‑280, reflecting improper access control over file modifications.

Affected Systems

The vulnerability affects Red Hat Enterprise Linux releases 6, 7, 8, 9, 10 and Red Hat OpenShift Container Platform 4. All instances that run the affected Samba version on these platforms are susceptible unless protected files are otherwise secured at the filesystem level.

Risk and Exploitability

With a CVSS score of 6.5 the vulnerability is considered medium severity. EPSS information is not available, and the flaw is not listed in the CISA KEV catalog, indicating no known active exploitation campaigns at this time. Nonetheless, the attack requires local or network authentication with standard write access to a Samba share, a configuration that is common in many environments. An attacker who meets these prerequisites can overwrite WORM‑protected files, potentially compromising critical archival data and regulatory compliance.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor	Product	Default status	Versions
Red Hat	Red Hat Enterprise Linux 10	affected	—
Red Hat	Red Hat Enterprise Linux 6	unknown	—
Red Hat	Red Hat Enterprise Linux 6	unknown	—
Red Hat	Red Hat Enterprise Linux 7	affected	—
Red Hat	Red Hat Enterprise Linux 8	affected	—
Red Hat	Red Hat Enterprise Linux 9	affected	—
Red Hat	Red Hat OpenShift Container Platform 4	affected	—

No data.

No data available yet.

Remediation

Vendor Workaround

Administrators can mitigate this issue by: Setting read-only permissions on protected files at the underlying filesystem level will prevent modifications. Configuring ```worm:grace_period = 0``` (zero or less) in smb.conf will eliminate the writable grace period (will eliminate the window in which the rename can happen), understanding that this may impact workflows requiring multi-step file creation.

OpenCVE Recommended Actions

Set read‑only permissions on protected files at the underlying filesystem level to prevent modification
Configure "worm:grace_period = 0" in smb.conf to eliminate the writable grace period and close the rename window
Limit or remove write permissions for users who do not require file overwrite capability, ensuring only trusted users can modify protected files

Generated by OpenCVE AI on May 27, 2026 at 15:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DSA	DSA-6297-1	samba security update
Ubuntu USN	USN-8306-1	Samba vulnerabilities

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://access.redhat.com/security/cve/CVE-2026-2340
https://bugzilla.redhat.com/show_bug.cgi?id=2447318
https://bugzilla.samba.org/show_bug.cgi?id=15997

History

Wed, 27 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		A flaw was found in Samba’s vfs_worm module. The module is intended to provide write-once, read-many (WORM) protections by preventing modification of files after a configurable grace period. Due to insufficient validation during rename operations, an authenticated user with write access to a share could overwrite a protected file by renaming a newly created file over the existing WORM-protected file.
Title		Samba: vfs_worm does not block directory modification
First Time appeared		Redhat Redhat enterprise Linux Redhat openshift
Weaknesses		CWE-280
CPEs		cpe:/a:redhat:openshift:4 cpe:/o:redhat:enterprise_linux:10 cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:8 cpe:/o:redhat:enterprise_linux:9
Vendors & Products		Redhat Redhat enterprise Linux Redhat openshift
References		https://access.redhat.com/security/cve/CVE-2026-2340 https://bugzilla.redhat.com/show_bug.cgi?id=2447318 https://bugzilla.samba.org/show_bug.cgi?id=15997
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}`

Subscriptions

Redhat Enterprise Linux Openshift

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2026-05-27T12:09:32.601Z

Updated: 2026-05-27T13:22:15.957Z

Reserved: 2026-02-11T12:29:16.340Z

Link: CVE-2026-2340

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:16:44.387

Modified: 2026-05-27T14:54:20.160

Link: CVE-2026-2340

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-27T15:30:27Z

Weaknesses

CWE-280

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object