SMB printer settings don't escape characters in passwords properly
Description
yast2-printer up to 4.0.2 does not escape backticks in SMB passwords, enabling command injection as root when root enters a malicious password.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
yast2-printer up to 4.0.2 does not escape backticks in SMB passwords, enabling command injection as root when root enters a malicious password.
Vulnerability
The vulnerability resides in the SMB/CIFS printer configuration of yast2-printer versions up to and including 4.0.2. When a user (typically root) enters a password containing backticks (` `) or similar shell metacharacters in the YaST printer connection wizard, the password is passed unsanitized to a shell command via the /usr/lib/YaST2/bin/test_remote_smb` script [1]. This results in command injection because the password is interpolated directly into a shell command line without proper escaping.
Exploitation
An attacker must trick a root user into entering a specially crafted password containing backticks (e.g., ` xeyes ) in the SMB/CIFS connection wizard of YaST. No network access or authentication is required beyond the root user's interaction. The password is then used in a shell command executed by the test_remote_smb` script, which runs with root privileges [1]. The injected commands are executed in the context of that shell.
Impact
Successful exploitation allows arbitrary command execution as root, leading to full compromise of the system. The attacker can execute any command with the highest privileges, potentially installing malware, exfiltrating data, or disrupting services.
Mitigation
No fixed version is disclosed in the available reference [1]. Users should avoid entering passwords containing backticks or other shell metacharacters in the YaST printer settings until a patched version of yast2-printer is released. As a workaround, ensure that SMB passwords consist only of alphanumeric characters.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<=4.0.2+ 1 more
- (no CPE)range: <=4.0.2
- (no CPE)range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"SMB printer settings do not properly escape characters in passwords, allowing for command injection."
Attack vector
An attacker can trick a user with root privileges into entering a password containing special characters, such as backticks, into the SMB printer settings within YaST. The vulnerable code then executes this password as a command. This allows for arbitrary code execution with root privileges. [ref_id=1]
Affected code
The vulnerability exists in the yast2-printer component, specifically within the code responsible for handling SMB printer settings. The vulnerable code was introduced with commit 5305ab79, which converted YCP files to Ruby. The `test_remote_socket` script and `connectionwizard.rb` are identified as relevant code paths. [ref_id=1]
What the fix does
The advisory does not specify the exact fix, but it indicates that the vulnerability is addressed by properly escaping characters in passwords. This prevents specially crafted input from being interpreted as commands by the system. The fix ensures that passwords containing special characters are treated as literal strings rather than executable code. [ref_id=1]
Preconditions
- authThe attacker must trick a user with root privileges.
- inputThe user must enter a password containing special characters (e.g., backticks) into the SMB printer settings.
Generated on Jun 4, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- bugzilla.suse.com/show_bug.cgimitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.