CVE-2026-3238
HighCVSS 7.5Exploitation Probability (EPSS)
High risk84th percentile - higher than 84% of all known CVEs
Summary
A flaw was found in Samba's WINS server component when running as an Active Directory Domain Controller. The WINS protocol handlers for certain request types did not properly validate incoming packets, allowing an unauthenticated remote attacker to trigger a NULL pointer dereference and crash the WINS service using specially crafted UDP packets.
Risk Assessment
An attacker can remotely and without authentication crash the WINS service, leading to disruption of name services in the network and potentially affecting the entire Active Directory domain.
Recommendation
Update Samba to a patched version immediately. Until the update is applied, restrict access to UDP ports used by WINS (port 137) to trusted hosts only.
Original NVD description (English source)
A flaw was found in Samba’s WINS server component when running as an Active Directory Domain Controller. The WINS protocol handlers for certain request types did not properly validate incoming packets, allowing an unauthenticated remote attacker to trigger a NULL pointer dereference and crash the WINS service using specially crafted UDP packets.

