Updated: 2026-02-25 07:34:37.856563
Description:
A flaw was found in Samba, in the front-end WINS hook handling: NetBIOS names from registration packets are passed to a shell without proper validation or escaping. Unsanitized NetBIOS name data from WINS registration packets are inserted into a shell command and executed by the Samba Active Directory Domain Controller’s wins hook, allowing an unauthenticated network attacker to achieve remote command execution as the Samba process.
| Links | NIST | CIRCL | RHEL | Ubuntu |
| Severity | Score | |
|---|---|---|
| CVSS Version 2.x | NONE | 0.0 |
| CVSS Version 3.x | HIGH | 10.0 |
| OS name | Project name | Version | Score | Severity | Status | Errata | Last updated | Statement |
|---|---|---|---|---|---|---|---|---|
| AlmaLinux 9.2 ESU | samba | 4.17.5 | 10.0 | HIGH | In Testing | 2026-02-27 10:11:02 | ||
| Alpine Linux 3.18 ELS | samba | 4.18.11 | 10.0 | HIGH | Already Fixed | 2026-03-02 22:57:30 | ||
| CentOS 6 ELS | samba | 3.6.23 | 10.0 | HIGH | Not Vulnerable | 2026-03-02 22:57:30 | Not affected: CVE-2025-10230 only triggers on Samba Active Directory Domain Controllers when WINS su... | |
| CentOS 7 ELS | samba | 4.10.16 | 10.0 | HIGH | Not Vulnerable | 2026-03-02 22:57:34 | Not affected: this exploit requires the Samba AD Domain Controller’s WINS server with the “wins ... | |
| CentOS 8.4 ELS | samba | 4.13.3-5 | 10.0 | HIGH | Not Vulnerable | 2026-03-04 08:19:15 | Not affected: The CentOS 8.4 ELS Samba 4.13.3 packages inherit the RHEL 8 build configuration and ar... | |
| CentOS 8.5 ELS | samba | 4.14.5-7 | 10.0 | HIGH | Not Vulnerable | 2026-03-04 08:19:16 | Not affected: this flaw is only reachable on Samba Active Directory Domain Controllers with the WINS... | |
| CentOS Stream 8 ELS | samba | 4.19.4 | 10.0 | HIGH | Not Vulnerable | 2026-03-04 08:19:21 | Not vulnerable. CVE-2025-10230 is only exploitable when Samba is running as an Active Directory Doma... | |
| CloudLinux 7 ELS | samba | 4.10.16 | 10.0 | HIGH | Not Vulnerable | 2026-03-02 22:57:34 | Not affected: this exploit requires the Samba AD Domain Controller’s WINS server with the “wins ... | |
| Debian 10 ELS | samba | 4.9.5 | 10.0 | HIGH | Already Fixed | 2026-03-02 22:57:29 | ||
| Oracle Linux 6 ELS | samba | 3.6.23 | 10.0 | HIGH | Not Vulnerable | 2026-03-02 22:57:36 | Not affected: CVE-2025-10230 only triggers on Samba Active Directory Domain Controllers when WINS su... |