CVE-2026-3238

Samba: denial of service against ad dc wins server

CVSS 7.5 HIGHEPSS 2.6%CWE-476

Vexday Risk Score

21Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 7.5EPSS 2.6%KEV nãoPoC —Patch —

Lifecycle

08 Jun 2026Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

A flaw was found in Samba’s WINS server component when running as an Active Directory Domain Controller. The WINS protocol handlers for certain request types did not properly validate incoming packets, allowing an unauthenticated remote attacker to trigger a NULL pointer dereference and crash the WINS service using specially crafted UDP packets.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected products

Red Hat · Red Hat Enterprise Linux 10 Red Hat · Red Hat Enterprise Linux 6 Red Hat · Red Hat Enterprise Linux 7 Red Hat · Red Hat Enterprise Linux 8 Red Hat · Red Hat Enterprise Linux 9 Red Hat · Red Hat OpenShift Container Platform 4

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://access.redhat.com/security/cve/CVE-2026-3238 https://bugzilla.redhat.com/show_bug.cgi?id=2486176 https://www.samba.org/samba/security/CVE-2026-3238.html