CVE-2026-3238

Summary

A flaw was found in Samba’s WINS server component when running as an Active Directory Domain Controller. The WINS protocol handlers for certain request types did not properly validate incoming packets, allowing an unauthenticated remote attacker to trigger a NULL pointer dereference and crash the WINS service using specially crafted UDP packets.

Affected Software

VendorProductVersion RangeStatus

Weaknesses

  • CWE-476: NULL Pointer Dereference

Workarounds

As a workaround, deployments that do not strictly require Samba-provided WINS functionality should disable WINS support by removing: wins support = yes from the Samba configuration.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

samba: Denial of service against AD DC WINS server

Additional References

References