CVE Catalog

CVE-2026-3238

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

High risk
2.67%

84th percentile - higher than 84% of all known CVEs

Summary

A flaw was found in Samba's WINS server component when running as an Active Directory Domain Controller. The WINS protocol handlers for certain request types did not properly validate incoming packets, allowing an unauthenticated remote attacker to trigger a NULL pointer dereference and crash the WINS service using specially crafted UDP packets.

Risk Assessment

An attacker can remotely and without authentication crash the WINS service, leading to disruption of name services in the network and potentially affecting the entire Active Directory domain.

Recommendation

Update Samba to a patched version immediately. Until the update is applied, restrict access to UDP ports used by WINS (port 137) to trusted hosts only.

Original NVD description (English source)

A flaw was found in Samba’s WINS server component when running as an Active Directory Domain Controller. The WINS protocol handlers for certain request types did not properly validate incoming packets, allowing an unauthenticated remote attacker to trigger a NULL pointer dereference and crash the WINS service using specially crafted UDP packets.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS