VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 31, 2004· Updated Apr 16, 2026

CVE-2004-0829

CVE-2004-0829

Description

smbd in Samba before 2.2.11 allows remote attackers to cause a denial of service (daemon crash) by sending a FindNextPrintChangeNotify request without a previous FindFirstPrintChangeNotify, as demonstrated by the SMB client in Windows XP SP2.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Members only

The AI Insight narrative is available to signed-in members. Sign in or create a free account to read it.

Affected products

40
  • Samba (software)/Samba40 versions
    cpe:2.3:a:samba:samba:1.9.17:*:*:*:*:*:*:*+ 39 more
    • cpe:2.3:a:samba:samba:1.9.17:*:*:*:*:*:*:*
    • cpe:2.3:a:samba:samba:1.9.17:p1:*:*:*:*:*:*
    • cpe:2.3:a:samba:samba:1.9.17:p2:*:*:*:*:*:*
    • cpe:2.3:a:samba:samba:1.9.17:p3:*:*:*:*:*:*
    • cpe:2.3:a:samba:samba:1.9.17:p4:*:*:*:*:*:*
    • cpe:2.3:a:samba:samba:1.9.17:p5:*:*:*:*:*:*
    • cpe:2.3:a:samba:samba:1.9.18:*:*:*:*:*:*:*
    • cpe:2.3:a:samba:samba:1.9.18:p1:*:*:*:*:*:*
    • cpe:2.3:a:samba:samba:1.9.18:p10:*:*:*:*:*:*
    • cpe:2.3:a:samba:samba:1.9.18:p2:*:*:*:*:*:*
    • cpe:2.3:a:samba:samba:1.9.18:p3:*:*:*:*:*:*
    • cpe:2.3:a:samba:samba:1.9.18:p4:*:*:*:*:*:*
    • cpe:2.3:a:samba:samba:1.9.18:p5:*:*:*:*:*:*
    • cpe:2.3:a:samba:samba:1.9.18:p6:*:*:*:*:*:*
    • cpe:2.3:a:samba:samba:1.9.18:p7:*:*:*:*:*:*
    • cpe:2.3:a:samba:samba:1.9.18:p8:*:*:*:*:*:*
    • cpe:2.3:a:samba:samba:2.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:samba:samba:2.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:samba:samba:2.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:samba:samba:2.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:samba:samba:2.0.4:*:*:*:*:*:*:*
    • cpe:2.3:a:samba:samba:2.0.5:*:*:*:*:*:*:*
    • cpe:2.3:a:samba:samba:2.0.5a:*:*:*:*:*:*:*
    • cpe:2.3:a:samba:samba:2.0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:samba:samba:2.0.7:*:*:*:*:*:*:*
    • cpe:2.3:a:samba:samba:2.2.0:*:*:*:*:*:*:*
    • cpe:2.3:a:samba:samba:2.2.1:*:*:*:*:*:*:*
    • cpe:2.3:a:samba:samba:2.2.10:*:*:*:*:*:*:*
    • cpe:2.3:a:samba:samba:2.2.2:*:*:*:*:*:*:*
    • cpe:2.3:a:samba:samba:2.2.3:*:*:*:*:*:*:*
    • cpe:2.3:a:samba:samba:2.2.3a:*:*:*:*:*:*:*
    • cpe:2.3:a:samba:samba:2.2.4:*:*:*:*:*:*:*
    • cpe:2.3:a:samba:samba:2.2.5:*:*:*:*:*:*:*
    • cpe:2.3:a:samba:samba:2.2.6:*:*:*:*:*:*:*
    • cpe:2.3:a:samba:samba:2.2.7:*:*:*:*:*:*:*
    • cpe:2.3:a:samba:samba:2.2.7a:*:*:*:*:*:*:*
    • cpe:2.3:a:samba:samba:2.2.8:*:*:*:*:*:*:*
    • cpe:2.3:a:samba:samba:2.2.8a:*:*:*:*:*:*:*
    • cpe:2.3:a:samba:samba:2.2.9:*:*:*:*:*:*:*
    • (no CPE)range: <2.2.11

Patches

Members only

Discovered fix commits and diffs is available to signed-in members. Sign in or create a free account to read it.

Vulnerability mechanics

Root cause

"Missing precondition validation in printer_notify_info() allows a FindNextPrintChangeNotify request without a preceding FindFirstPrintChangeNotify, causing smbd to crash."

Attack vector

An authenticated remote attacker sends a FindNextPrintChangeNotify() request without first issuing the corresponding FindFirstPrintChangeNotify() request [ref_id=1]. This mismatched RPC sequence reaches `printer_notify_info()` in `rpc_server/srv_spoolss_nt.c`, which does not validate that a prior FindFirstPrintChangeNotify() was issued [ref_id=1]. The missing precondition check causes a NULL-pointer dereference or similar fatal condition that crashes the smbd daemon, denying service to other users. The SMB client in Windows XP SP2 was observed to trigger this behavior naturally.

What the fix does

The Samba 2.2.11 release fixes the missing state validation in the printer notification RPC handling [ref_id=1]. The patch introduces a check in `printer_notify_info()` that rejects a FindNextPrintChangeNotify() call when no corresponding FindFirstPrintChangeNotify() has been established. This prevents the daemon from reaching the code path that dereferences uninitialized or NULL state, thereby eliminating the crash.

Preconditions

  • authAttacker must have network access and valid SMB authentication to the target Samba server
  • inputAttacker must send a crafted FindNextPrintChangeNotify() without preceding FindFirstPrintChangeNotify()
  • configTarget must be running Samba prior to 2.2.11 or prior to 3.0.6

Generated on Jun 16, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.