CVE-2026-3238

HIGH EPSS 83.7%

Published Jun 8, 20263w ago · Modified Jun 17, 20261w ago

7.5 CVSS 3.1

High

Published Jun 8, 2026 3w ago

Last Modified Jun 17, 2026 1w ago

Description

A flaw was found in Samba’s WINS server component when running as an Active Directory Domain Controller. The WINS protocol handlers for certain request types did not properly validate incoming packets, allowing an unauthenticated remote attacker to trigger a NULL pointer dereference and crash the WINS service using specially crafted UDP packets.

CVSS Details

Base Score

7.5

Exploitability

3.9

Impact

3.6

Vector string

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector Network

Attack Complexity Low

Privileges Required None

User Interaction None

Scope Unchanged

Confidentiality None

Integrity None

Availability High

Threat Intelligence

EPSS Exploit Probability

83.7% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 1

CWE-476 NULL Pointer Dereference Memory Safety

References 3

access.redhat.com https://access.redhat.com/security/cve/CVE-2026-3238
bugzilla.redhat.com https://bugzilla.redhat.com/show_bug.cgi?id=2486176
samba.org https://www.samba.org/samba/security/CVE-2026-3238.html

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.