Vulnerability in Samba's WINS Server Component for Active Directory Domain Controllers
CVE-2026-3238

7.5HIGH

Key Information:

Vendor

Red Hat
Status
Red Hat Enterprise Linux 10
Red Hat Enterprise Linux 6
Red Hat Enterprise Linux 7
Red Hat Enterprise Linux 8
Vendor
CVE Published:
8 June 2026

What is CVE-2026-3238?

A vulnerability exists in Samba's WINS server component when operating as an Active Directory Domain Controller. Certain request types sent via the WINS protocol are not adequately validated, allowing unauthenticated remote attackers to send specially crafted UDP packets. This could lead to a NULL pointer dereference and subsequently crash the WINS service, thus impacting the availability of services relying on Samba's functionality.

References

https://access.redhat.com/security/cve/CVE-2026-3238
vdb-entryx_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2486176
issue-trackingx_refsource_REDHAT
https://www.samba.org/samba/security/CVE-2026-3238.html

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Red Hat would like to thank Arad Inbar (DREAM Security Research Team), Ben Grinberg (DREAM Security Research Team), Erez Cohen (DREAM Security Research Team), and Nir Somech (DREAM Security Research Team) for reporting this issue.
.