Medium

Samba vfs_worm rename overwrite bypass

IdentifiersCVE-2026-2340CWE-20

CVE-2026-2340 is a flaw in Samba's vfs_worm module, which is intended to enforce write-once, read-many protections by making files immutable over SMB after a configurable grace period. Due to insufficient validation during rename operations, the module checked whether the source file being renamed was still mutable but failed to verify whether the destination path already referred to an existing WORM-protected file. As a result, an authenticated user with write access to a share could create a new file and rename it over an existing protected file, thereby overwriting content that should have been immutable. The issue affects Samba versions since 4.20 when the vfs_worm module is in use.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an authenticated attacker with write access to a Samba share using vfs_worm to bypass the module's intended immutability guarantees and overwrite files that should be protected after the grace period expires. The primary impact is loss of file integrity. Samba stated the flaw does not bypass underlying filesystem permissions, does not bypass other Samba modules, and does not grant access beyond what the user already has; the issue is specifically an integrity violation of WORM-protected content. The published CVSS v3.1 vector is AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N with a base score of 6.5.

Mitigation

If you can’t patch tonight, do this now.

As temporary mitigations, Samba advised setting existing files to read-only in the underlying filesystem to prevent modification, or setting 'worm:grace_period' in smb.conf to zero or less to eliminate the rename window. Samba noted that reducing the grace period to zero or less can disrupt workflows that create and write files in multiple steps. Disabling vfs_worm is not a meaningful workaround for preserving intended WORM semantics.

Remediation

Patch, then assume compromise.

Upgrade Samba to a fixed release: 4.22.10, 4.23.8, or 4.24.3, as applicable, or apply the vendor patch published on the Samba security site. Administrators should deploy the official Samba fixes as soon as possible on systems that use the vfs_worm module.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

Red HatEnterprise Linuxoperating_system

Red HatOpenshift Container Platformapplication

SambaSambaapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

8 SOURCESView more in app

sambaNews

Jan 1, 2026

Samba - Security Announcement Archive

A Samba vfs_worm module flaw that allows overwriting protected WORM files by renaming a newly created file over an existing protected file, undermining intended write-once protections for SMB-shared files.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity4

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-2340

NVD

nvd.nist.gov/vuln/detail/CVE-2026-2340

MITRE CWE · CWE-20

cwe.mitre.org

Vendor Advisory

bugzilla.samba.org/show_bug.cgi?id=15997

Mitigation

access.redhat.com/security/cve/CVE-2026-2340

Third Party Advisory

bugzilla.redhat.com/show_bug.cgi?id=2447318

access.redhat.com

access.redhat.com/errata/RHSA-2026:22963

access.redhat.com

access.redhat.com/errata/RHSA-2026:25049

access.redhat.com

access.redhat.com/errata/RHSA-2026:25979