CVE-2026-2340
Description
A flaw was found in Samba’s vfs_worm module. The module is intended to provide write-once, read-many (WORM) protections by preventing modification of files after a configurable grace period. Due to insufficient validation during rename operations, an authenticated user with write access to a share could overwrite a protected file by renaming a newly created file over the existing WORM-protected file.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Samba's vfs_worm WORM module fails to validate rename operations, allowing overwrite of protected files by authenticated users.
Vulnerability
A flaw exists in Samba's vfs_worm module, which is designed to enforce write-once, read-many (WORM) protections for files after a configurable grace period. Due to insufficient validation during rename operations, the module does not prevent a newly created file from being renamed over an existing WORM-protected file. This affects Samba versions where the vfs_worm module is enabled and configured with WORM protections.
Exploitation
An authenticated user with write access to a Samba share that uses the vfs_worm module can exploit this by creating a new file and then renaming it to the name of an existing WORM-protected file. The rename operation bypasses the intended protection, allowing the user to overwrite the protected file without any special privileges beyond standard write access to the share.
Impact
Successful exploitation allows an authenticated attacker to overwrite WORM-protected files, violating the integrity and non-repudiation guarantees that the WORM feature is intended to provide. This could lead to unauthorized modification of critical or audit-related data stored on the share.
Mitigation
Samba released a fix for CVE-2026-2340 on 2026-05-27. Users should update Samba to the latest patched version. There is no known workaround if patching cannot be applied immediately, as the issue is inherent to the vfs_worm module's rename handling. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date [1][2].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
239535250fa55CVE-2026-2340: test whether vfs_worm allows overwrite
2 files changed · +32 −0
selftest/knownfail.d/vfs-worm+2 −0 added@@ -0,0 +1,2 @@ +^samba3.blackbox.worm.SMB3 +^samba3.blackbox.worm.NT1
source3/script/tests/test_worm.sh+30 −0 modified@@ -40,6 +40,7 @@ do_cleanup() #subshell. cd "$share_test_dir" || return rm -f must-be-deleted must-not-be-deleted must-be-deleted-after-ctime-refresh + rm -f must-not-be-overwritten sentinel-value ) rm -f $tmpfile } @@ -51,13 +52,18 @@ do_cleanup tmpfile=$PREFIX/smbclient_interactive_prompt_commands +tmp_sentinel=$PREFIX/sentinel_value +SENTINEL_VALUE='1' +echo $SENTINEL_VALUE > $tmp_sentinel + test_worm() { # use echo because helo scripts don't support variables echo " put $tmpfile must-be-deleted put $tmpfile must-be-deleted-after-ctime-refresh put $tmpfile must-not-be-deleted +put $tmpfile must-not-be-overwritten del must-be-deleted quit" > $tmpfile # make sure the directory is not too old for worm: @@ -97,6 +103,30 @@ quit" > $tmpfile printf "$0: ERROR: must-not-be-deleted WAS deleted\n" return 1 } + + # Check we can't change a protected file by renaming over it. + # The source file needs to recently created or access will be + # denied before RENAME_AT is reached, which is the thing we + # want to test. + original_contents=`cat $share_test_dir/must-not-be-overwritten` + echo " +put $tmp_sentinel sentinel-value +rename sentinel-value must-not-be-overwritten -f +quit" > $tmpfile + cmd='CLI_FORCE_INTERACTIVE=yes $SMBCLIENT -U$USERNAME%$PASSWORD //$SERVER/worm -I$SERVER_IP $ADDARGS < $tmpfile 2>&1' + eval echo "$cmd" + out=$(eval "$cmd") + new_contents=`cat $share_test_dir/must-not-be-overwritten` + + if [ "$new_contents" = "$SENTINEL_VALUE" ]; then + echo "must-not-be-overwritten was overwritten" + return 1 + fi + if [ "$new_contents" != "$original_contents" ]; then + echo "must-not-be-overwritten was changed (but not precisely overwritten)" + return 1 + fi + # if we're not root, return here: test "$UID" = "0" || { return 0
44b199a35222CVE-2026-2340: vfs_worm: Check destination WORM status in rename
2 files changed · +18 −2
selftest/knownfail.d/vfs-worm+0 −2 removed@@ -1,2 +0,0 @@ -^samba3.blackbox.worm.SMB3 -^samba3.blackbox.worm.NT1
source3/modules/vfs_worm.c+18 −0 modified@@ -218,11 +218,29 @@ static int vfs_worm_renameat(vfs_handle_struct *handle, const struct smb_filename *smb_fname_dst, const struct vfs_rename_how *how) { + struct stat_ex dst_st; + int ret; + if (is_readonly(handle, smb_fname_src)) { errno = EACCES; return -1; } + /* Check if destination is WORM-protected (fixes CVE-2026-2340) */ + ret = SMB_VFS_FSTATAT(handle->conn, + dst_dirfsp, + smb_fname_dst, + &dst_st, + AT_SYMLINK_NOFOLLOW); + if (ret == 0) { + struct smb_filename dst_with_stat = *smb_fname_dst; + dst_with_stat.st = dst_st; + if (is_readonly(handle, &dst_with_stat)) { + errno = EACCES; + return -1; + } + } + return SMB_VFS_NEXT_RENAMEAT(handle, src_dirfsp, smb_fname_src,
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
3News mentions
0No linked articles in our index yet.