VDB
GSD-2021-44142
GSD-2021-44142
PUBLISHED
CVSS 8.800000190734863 HIGH
The Samba vfs_fruit module uses extended file attributes (EA, xattr) to provide "...enhanced compatibility with Apple SMB clients and interoperability with a Netatalk 3 AFP fileserver." Samba versions prior to 4.13.17, 4.14.12 and 4.15.5 with vfs_fruit configured allow out-of-bounds heap read and write via specially crafted extended file attributes. A remote attacker with write access to extended file attributes can execute arbitrary code with the privileges of smbd, typically root.
Risk Scores
CVSS v3.1
8.800000190734863
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Samba | Samba | unspecified, unspecified, * |
Timeline
- Oct 20, 2021 CVE Published
- Feb 4, 2022 PoC Published
- Dec 27, 2024 PoC Published
- Feb 13, 2025 PoC Published
- Mar 28, 2025 PoC Published
- May 12, 2025 PoC Published
- Apr 18, 2026 Security Advisory
- Apr 18, 2026 Security Advisory
References
- https://www.samba.org/samba/security/CVE-2021-44142.html url
- https://www.zerodayinitiative.com/blog/2022/2/1/cve-2021-44142-details-on-a-samba-code-execution-bug-demonstrated-at-pwn2own-austin url
- https://kb.cert.org/vuls/id/119678 third-party-advisory
- https://bugzilla.samba.org/show_bug.cgi?id=14914 url
- GLSA-202309-06 vendor-advisory
- https://www.kb.cert.org/vuls/id/119678 url