SB2026010202 - Debian update for smb4k

Security Bulletin ID SB2026010202

Severity

Low

Patch available

YES

Number of vulnerabilities 2

Exploitation vector Local access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Input validation error (CVE-ID: CVE-2025-66002)

The vulnerability allows a local user to perform arbitrary unmounts.

The vulnerability exists due to insufficient validation of user-supplied input within the Smb4KMountHelper::unmount() function in smb4kmounthelper.cpp. A local user can unmount arbitrary file system and perform a denial of service attack.

2) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2025-66003)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to application allows arbitrary mounts to be created within the Smb4KMountHelper::mount() function in smb4kmounthelper.cpp. A local user with ability to control content of a Samba network share can mount it over an existing local directory (e.g. /bin) and execute arbitrary code with root privileges.

Remediation

Install update from vendor's website.

References

https://lists.debian.org/debian-security-announce/2026/msg00000.html