From: Pavel Kohout Date: Fri, 13 Feb 2026 02:51:41 +0000 (+1300) Subject: CVE-2026-2340: vfs_worm: Check destination WORM status in rename X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=44b199a35222e1b11d6ee987c4e8046a894484ca;p=thirdparty%2Fsamba.git CVE-2026-2340: vfs_worm: Check destination WORM status in rename vfs_worm_renameat() only checked if the source file was WORM-protected, but not the destination. This allowed overwriting immutable files via SMB2 rename with ReplaceIfExists=1, bypassing WORM protection. Add destination check using FSTATAT on the destination dirfsp, as suggested by the maintainer. CWE-284 (Improper Access Control) Reported-by: Pavel Kohout, Aisle Research, www.aisle.com BUG: https://bugzilla.samba.org/show_bug.cgi?id=15997 Signed-off-by: Pavel Kohout Reviewed-by: Volker Lendecke Reviewed-by: Douglas Bagnall --- diff --git a/selftest/knownfail.d/vfs-worm b/selftest/knownfail.d/vfs-worm deleted file mode 100644 index f4a330c744b..00000000000 --- a/selftest/knownfail.d/vfs-worm +++ /dev/null @@ -1,2 +0,0 @@ -^samba3.blackbox.worm.SMB3 -^samba3.blackbox.worm.NT1 diff --git a/source3/modules/vfs_worm.c b/source3/modules/vfs_worm.c index b9ca9d1e158..5effd497da2 100644 --- a/source3/modules/vfs_worm.c +++ b/source3/modules/vfs_worm.c @@ -218,11 +218,29 @@ static int vfs_worm_renameat(vfs_handle_struct *handle, const struct smb_filename *smb_fname_dst, const struct vfs_rename_how *how) { + struct stat_ex dst_st; + int ret; + if (is_readonly(handle, smb_fname_src)) { errno = EACCES; return -1; } + /* Check if destination is WORM-protected (fixes CVE-2026-2340) */ + ret = SMB_VFS_FSTATAT(handle->conn, + dst_dirfsp, + smb_fname_dst, + &dst_st, + AT_SYMLINK_NOFOLLOW); + if (ret == 0) { + struct smb_filename dst_with_stat = *smb_fname_dst; + dst_with_stat.st = dst_st; + if (is_readonly(handle, &dst_with_stat)) { + errno = EACCES; + return -1; + } + } + return SMB_VFS_NEXT_RENAMEAT(handle, src_dirfsp, smb_fname_src,