CVE-2026-3238: Samba WINS Server NULL Pointer Dereference DoS Vulnerability
Samba's WINS server component contains a vulnerability that allows an unauthenticated attacker to crash the WINS service when Samba is configured as an Active Directory Domain Controller. The flaw exists in how the WINS protocol handlers process incoming network packets—certain request types lack proper validation, enabling an attacker to send specially crafted UDP packets that trigger a NULL pointer dereference and service denial. No authentication or user interaction is required; an attacker on the network can exploit this remotely.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-476
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-08 / 2026-07-15
NVD description (verbatim)
A flaw was found in Samba’s WINS server component when running as an Active Directory Domain Controller. The WINS protocol handlers for certain request types did not properly validate incoming packets, allowing an unauthenticated remote attacker to trigger a NULL pointer dereference and crash the WINS service using specially crafted UDP packets.
6 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-3238 is a NULL pointer dereference (CWE-476) in Samba's WINS server component. The WINS protocol packet handlers fail to properly validate incoming UDP packets for certain request types when Samba operates as an Active Directory Domain Controller. This validation gap allows an unauthenticated remote attacker to craft malicious packets that dereference a NULL pointer, crashing the WINS service and causing denial of service. The vulnerability requires network access but no privileges or authentication.
Business impact
A successful attack renders the WINS service unavailable, disrupting name resolution services that depend on WINS in environments where Samba acts as an AD Domain Controller. For organizations relying on WINS for legacy name resolution or in hybrid AD environments, this denial of service can disrupt user connectivity, authentication, and resource discovery. The impact is limited to availability; there is no data theft or lateral movement risk from this flaw alone.
Affected systems
Samba installations configured to run as an Active Directory Domain Controller with the WINS server component enabled are affected. The vulnerability is specific to the WINS protocol handler within Samba's AD DC role. Organizations should inventory Samba-based domain controllers and verify whether WINS is actively deployed in their environment. Non-AD Samba file servers and Samba instances not running WINS are not affected.
Exploitability
This vulnerability has a CVSS 3.1 score of 7.5 (HIGH) reflecting high exploitability: the attack requires no authentication, no user interaction, and can be executed remotely via the network. However, the attack surface is limited to systems running Samba as an AD DC with WINS enabled and accessible from the attacker's network segment. Internal network access is typically required unless WINS is exposed on external interfaces (an uncommon misconfiguration).
Remediation
Apply security patches from Samba as soon as they become available. Verify the vendor advisory for patched version numbers and deployment guidance. As a temporary mitigation, restrict UDP access to WINS ports (typically 137–139) at the network boundary and firewall level, limiting exposure to trusted networks only. Organizations not using WINS should disable the WINS server component in Samba configuration. Monitor WINS service logs for crashes or anomalous traffic patterns.
Patch guidance
Consult the official Samba security advisory for the exact patched version numbers and apply updates according to your deployment model (source compilation, package manager, or appliance firmware). Test patches in a non-production environment first to verify compatibility with existing AD integration and replication. After patching, restart the Samba service and confirm WINS functionality is restored and stable.
Detection guidance
Monitor Samba WINS service logs and system logs for unexpected process crashes (segfaults) or service restarts. Network-based detection can identify suspicious UDP traffic to WINS ports with malformed or unusual packet structures; establish baseline traffic patterns and alert on deviations. Implement process monitoring and alerting for abnormal termination of the Samba WINS daemon. Review packet captures for UDP packets sent to WINS ports from unauthorized or unexpected sources.
Why prioritize this
Although CVE-2026-3238 is rated HIGH and exploitable without authentication, prioritization depends on your environment. Organizations running Samba as an AD DC with WINS enabled should treat this as urgent; others can schedule remediation during normal maintenance windows. The lack of confidentiality or integrity impact limits business severity, but denial of service to core directory services warrants prompt attention in AD-dependent environments.
Risk score, explained
The CVSS 3.1 score of 7.5 (HIGH) reflects a remotely exploitable NULL pointer dereference with no authentication barrier and high attack complexity of Low. The impact is confined to availability (service crash), resulting in a less severe rating than vulnerabilities affecting confidentiality or enabling code execution. Organizations should weigh this score against their reliance on Samba WINS services and network exposure.
Frequently asked questions
Does this vulnerability allow remote code execution?
No. CVE-2026-3238 triggers a NULL pointer dereference that crashes the WINS service, resulting in denial of service only. There is no code execution, privilege escalation, or data exfiltration risk.
Is WINS enabled by default in Samba AD DC configurations?
WINS support in Samba can vary by configuration and deployment. You should verify your Samba configuration files (smb.conf) to check if WINS is explicitly enabled. If you are not using WINS for name resolution, disabling it eliminates the attack surface.
Do we need to patch if WINS is disabled in our Samba environment?
If WINS is completely disabled in your Samba configuration, you are not vulnerable to this flaw. However, patch management best practices suggest applying security updates promptly regardless, in case WINS is re-enabled in the future or to maintain a current security posture.
Can this be exploited from the internet, or only from internal networks?
Exploitation requires network access to WINS ports on the affected system. If WINS is not exposed on external interfaces and is only accessible from trusted internal networks, the attack surface is limited. However, any unauthenticated attacker with network access to WINS ports can attempt exploitation.
This analysis is based on publicly available information as of the modification date (2026-07-15). Patch availability, affected versions, and remediation guidance should be verified against the official Samba security advisory and your vendor documentation. SEC.co makes no warranty regarding the accuracy of third-party vendor information or patch timelines. Organizations should conduct their own risk assessment based on their specific Samba deployment architecture and network exposure. This vulnerability summary does not constitute legal or professional advice. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2025-59604HIGHQualcomm Snapdragon Memory Corruption Vulnerability – HIGH Severity
- CVE-2025-59606HIGHQualcomm Chipset Memory Corruption Local Privilege Escalation
- CVE-2025-70099HIGHNULL Pointer Dereference in lwext4 Directory Parsing (Denial of Service)
- CVE-2026-37226HIGHFlexRIC iApp Denial-of-Service via Invalid E2 Node Subscription
- CVE-2026-37230HIGHFlexRIC v2.0.0 RIC_INDICATION Denial-of-Service Vulnerability
- CVE-2026-42764HIGHOpenSSL QUIC Server NULL Pointer Denial of Service Vulnerability
- CVE-2026-42765HIGHOpenSSL NULL Pointer Dereference in OCSP Certificate Chain Verification
- CVE-2026-46110HIGHLinux stmmac NULL Dereference DoS Vulnerability