CVE-2026-2340 PUBLISHED

Samba: vfs_worm does not block directory modification

Assigner: redhat
Reserved: 11.02.2026 Published: 27.05.2026 Updated: 27.05.2026

A flaw was found in Samba’s vfs_worm module. The module is intended to provide write-once, read-many (WORM) protections by preventing modification of files after a configurable grace period. Due to insufficient validation during rename operations, an authenticated user with write access to a share could overwrite a protected file by renaming a newly created file over the existing WORM-protected file.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
CVSS Score: 6.5

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	Low	Integrity Impact	High
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	Red Hat
Product	Red Hat Enterprise Linux 10
Versions	Default: affected

Vendor	Red Hat
Product	Red Hat Enterprise Linux 6
Versions	Default: unknown

Vendor	Red Hat
Product	Red Hat Enterprise Linux 6
Versions	Default: unknown

Vendor	Red Hat
Product	Red Hat Enterprise Linux 7
Versions	Default: affected

Vendor	Red Hat
Product	Red Hat Enterprise Linux 8
Versions	Default: affected

Vendor	Red Hat
Product	Red Hat Enterprise Linux 9
Versions	Default: affected

Vendor	Red Hat
Product	Red Hat OpenShift Container Platform 4
Versions	Default: affected

Workarounds

Administrators can mitigate this issue by:

Setting read-only permissions on protected files at the underlying filesystem level will prevent modifications.

Configuring worm:grace_period = 0 (zero or less) in smb.conf will eliminate the writable grace period (will eliminate the window in which the rename can happen), understanding that this may impact workflows requiring multi-step file creation.

Credits

Red Hat would like to thank Pavel Kohout (Aisle Research) for reporting this issue.

References

Problem Types

Improper Handling of Insufficient Permissions or Privileges CWE