CVE-2026-15779
Received Received - Intake

Privilege Escalation via pam_winbind mkhomedir in Samba

Vulnerability report for CVE-2026-15779, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-15

Last updated on: 2026-07-15

Assigner: Red Hat, Inc.

Description

A flaw was found in samba's pam_winbind. When mkhomedir is enabled, pam_winbind chowns the target account's home directory without validating the path is not a critical system directory such as /. On affected systems, accounts with / as their home directory (a common default for system accounts) can have this triggered not only by root, but by a non-root user holding a narrow sudo delegation to run commands as that account, causing ownership of / to change and resulting in severe denial of service (SSH, sudo, and package-manager failures). The change does not grant write access to / (which ships with restrictive 0555 permissions on RHEL), so the impact is availability loss rather than further privilege escalation.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-15
Last Modified
2026-07-15
Generated
2026-07-15
AI Q&A
2026-07-15
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
samba pam_winbind to 4.24.3 (exc)
samba pam_winbind From 4.24.3 (inc)
samba pam_winbind From 4.24 (inc)
samba pam_winbind *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-732 The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is in Samba's pam_winbind module. When the mkhomedir feature is enabled, it changes ownership of a user's home directory without checking if the path is a critical system directory like /. If a system account has / as its home directory, a non-root user with limited sudo access can trigger this flaw, causing the root directory's ownership to change. This leads to severe denial of service affecting SSH, sudo, and package managers.

Impact Analysis

This flaw can cause system-wide failures. If the root directory's ownership is changed, critical services like SSH, sudo, and package managers may stop working. This results in loss of system access and inability to install or update software, severely disrupting normal operations.

Detection Guidance

Check if pam_winbind is enabled and mkhomedir is set to true in the PAM configuration. Review sudo delegation rules for accounts with / as home directory. Inspect system logs for unusual chown operations targeting critical directories like /.

Mitigation Strategies

Disable mkhomedir in pam_winbind configuration. Restrict sudo delegation to prevent non-root users from running commands as system accounts with / as home directory. Verify and restore ownership of critical directories like / if affected.

Compliance Impact

This vulnerability could lead to severe denial of service by altering ownership of critical system directories like /, potentially disrupting services such as SSH, sudo, and package management. Such disruptions may violate compliance requirements for availability and integrity in standards like GDPR (data processing integrity) and HIPAA (system availability for healthcare operations).

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-15779. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart