What is CVE-2022-0336?

CVE-2022-0336 is a high-severity vulnerability affecting Samba AD DC which allows attackers to impersonate services and perform denial-of-service attacks. Organizations should prioritize patching to mitigate risks.

What is the severity of CVE-2022-0336?

CVE-2022-0336 has a severity rating of HIGH with a CVSS base score of 8.8.

CVE-2022-0336 | High Vulnerability in Samba AD DC

CVE-2022-0336 is a high-severity vulnerability in Samba's Active Directory Domain Controller (AD DC) that affects versions of Samba from 4.0.0 to 4.13.16, 4.14.0 to 4.14.11, and 4.15.0 to 4.15.3. This vulnerability allows attackers to bypass certain checks when adding service principal names (SPNs) to accounts, which could lead to denial-of-service attacks and the potential for impersonating existing services.

The vulnerability has a CVSS score of 8.8, indicating high severity. The potential impact includes high confidentiality, integrity, and availability risks, making it critical for organizations to address this vulnerability promptly.

With the ability to write to an account, an attacker can exploit this vulnerability to add an SPN that matches an existing service. This could result in a denial-of-service condition and allow for service impersonation, leading to a loss of confidentiality and integrity.

Organizations using affected versions of Samba should prioritize patching immediately to mitigate the associated risks.

Vulnerability Details

The Samba AD DC includes checks when adding service principal names (SPNs) to an account to ensure that SPNs do not alias with those already in the database. Some of these checks can be bypassed if an account modification re-adds an SPN that was previously present on that account. This allows an attacker with the ability to write to an account to exploit this vulnerability.

The vulnerability is classified under CWE-276, indicating improper handling of service principal names. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, confirming the potential for high impact across confidentiality, integrity, and availability.

Technical Analysis

The root cause of this vulnerability lies in insufficient validation checks when re-adding SPNs. Attackers can exploit this by modifying an account to add a previously existing SPN, which can lead to service impersonation.

The attack vector is network-based, with low attack complexity. The required privileges are low, meaning that any user with write access to the account can exploit this vulnerability. User interaction is not required, which increases the risk, as the attacker can execute the exploit without needing additional permissions.

The potential impacts are significant, with high implications for confidentiality, integrity, and availability. Attackers who can intercept traffic may impersonate existing services, which can lead to unauthorized access to sensitive data.

Risk & Impact Analysis

Risk to organizations includes the potential for denial-of-service attacks and the ability for attackers to impersonate existing services. The blast radius could be extensive, particularly in environments where Samba AD DC is widely integrated. Organizations should assess their exposure, especially if they operate in sectors where data confidentiality is critical.

Given the vulnerability's high CVSS score and the fact that it is not currently included in the KEV catalog, organizations need to prioritize remediation as part of their patch management strategy.

Exploitation Status

Signal	Status
Known Exploit	No
Public PoC	No
Actively Exploited	No
Ransomware Use	No

Affected Versions

The affected versions of Samba include any version from 4.0.0 to 4.13.16, 4.14.0 to 4.14.11, and 4.15.0 to 4.15.3. If version information is unavailable, organizations should assume all versions prior to vendor patch.

Mitigation & Remediation

Organizations are urged to patch the affected Samba versions immediately. Detailed information on patches can be found on the vendor's advisory page. If patching is not possible, implement network controls to restrict access to affected services and monitor for any unauthorized SPN additions.

Additionally, organizations should consider conducting a security assessment, which includes application security assessments to identify and remediate similar vulnerabilities.

Detection Guidance

Monitor logs for unusual SPN modifications and network traffic for signs of impersonation attempts. Behavioral anomalies in user activity may indicate exploitation. Keeping detailed logs can assist in identifying malicious activities related to this vulnerability.

AppSecure Threat Intelligence Insight

The long-term significance of CVE-2022-0336 lies in its potential impact on organizations using Samba AD DC. This vulnerability highlights the importance of rigorous validation checks in security protocols.

Security teams should take this opportunity to review existing configurations and tighten access controls while considering red teaming services to proactively identify weaknesses.

Additionally, leveraging continuous penetration testing can help ensure that similar vulnerabilities are addressed in a timely manner.

Organizations should also consider a comprehensive vulnerability management program to stay ahead of emerging threats.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

CVE ID	Title	Severity	Vulnerability Type	Published
CVE-2026-7704	CVE-2026-7704: Low Vulnerability in AV Stumpfl Pixera Two Media Server	LOW	Path Traversal	May 3, 2026
CVE-2026-7703	CVE-2026-7703: Medium Vulnerability in AV Stumpfl Pixera Two Media Server	MEDIUM	Injection	May 3, 2026
CVE-2026-7702	CVE-2026-7702: Medium Vulnerability in toeverything AFFiNE	MEDIUM	Improper Authorization	May 3, 2026
CVE-2026-7701	CVE-2026-7701: Low Vulnerability in Telegram Desktop	LOW	Null Pointer Dereference	May 3, 2026
CVE-2026-7700	CVE-2026-7700: Low Vulnerability in langflow-ai langflow	LOW	Injection	May 3, 2026

CVE-2022-0336: High Vulnerability in Samba AD DC