CVE-2026-3238
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
A flaw was found in Samba’s WINS server component when running as an Active Directory Domain Controller. The WINS protocol handlers for certain request types did not properly validate incoming packets, allowing an unauthenticated remote attacker to trigger a NULL pointer dereference and crash the WINS service using specially crafted UDP packets.
Affected Software
| Vendor | Product | Version Range | Status |
|---|
Weaknesses
- CWE-476: NULL Pointer Dereference
Workarounds
As a workaround, deployments that do not strictly require Samba-provided WINS functionality should disable WINS support by removing: wins support = yes from the Samba configuration.
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
samba: Denial of service against AD DC WINS server
Additional References
- https://access.redhat.com/security/cve/CVE-2026-3238
- https://bugzilla.redhat.com/show_bug.cgi?id=2486176
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-3238.json
References
- https://access.redhat.com/security/cve/CVE-2026-3238
- https://bugzilla.redhat.com/show_bug.cgi?id=2486176
- https://www.samba.org/samba/security/CVE-2026-3238.html
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.