CVE-2026-15779: Incorrect Permission Assignment for Critical Resource in Red Hat Red Hat Enterprise Linux 10
A flaw was found in samba's pam_winbind. When mkhomedir is enabled, pam_winbind chowns the target account's home directory without validating the path is not a critical system directory such as /. On affected systems, accounts with / as their home directory (a common default for system accounts) can have this triggered not only by root, but by a non-root user holding a narrow sudo delegation to run commands as that account, causing ownership of / to change and resulting in severe denial of service (SSH, sudo, and package-manager failures). The change does not grant write access to / (which ships with restrictive 0555 permissions on RHEL), so the impact is availability loss rather than further privilege escalation.
AI Analysis
Technical Summary
The vulnerability exists in pam_winbind's mkhomedir functionality on Red Hat Enterprise Linux 10. When enabled, pam_winbind changes ownership of a user's home directory but fails to verify that the path is not a critical system directory such as /. Accounts with / as their home directory (common for system accounts) can be exploited by non-root users with narrow sudo delegations to run commands as those accounts. This causes the ownership of / to be changed, resulting in denial of service conditions including failures in SSH, sudo, and package management. The root directory remains with restrictive permissions (0555), so the impact is limited to availability loss without further privilege escalation.
Potential Impact
The vulnerability leads to availability loss by allowing ownership changes of the root directory (/), disrupting critical system services such as SSH, sudo, and package management. It does not allow privilege escalation or write access to the root directory due to its restrictive permissions. The impact is classified as a severe denial of service on affected systems.
Mitigation Recommendations
Patch status is not yet confirmed — check the Red Hat advisory at https://access.redhat.com/security/cve/CVE-2026-15779 for current remediation guidance. Until an official fix is available, restrict sudo delegations that allow non-root users to run commands as accounts with / as their home directory, and consider disabling mkhomedir in pam_winbind if not required.
CVE-2026-15779: Incorrect Permission Assignment for Critical Resource in Red Hat Red Hat Enterprise Linux 10
Description
A flaw was found in samba's pam_winbind. When mkhomedir is enabled, pam_winbind chowns the target account's home directory without validating the path is not a critical system directory such as /. On affected systems, accounts with / as their home directory (a common default for system accounts) can have this triggered not only by root, but by a non-root user holding a narrow sudo delegation to run commands as that account, causing ownership of / to change and resulting in severe denial of service (SSH, sudo, and package-manager failures). The change does not grant write access to / (which ships with restrictive 0555 permissions on RHEL), so the impact is availability loss rather than further privilege escalation.
CVSS v3.1
Score 6.1medium
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability exists in pam_winbind's mkhomedir functionality on Red Hat Enterprise Linux 10. When enabled, pam_winbind changes ownership of a user's home directory but fails to verify that the path is not a critical system directory such as /. Accounts with / as their home directory (common for system accounts) can be exploited by non-root users with narrow sudo delegations to run commands as those accounts. This causes the ownership of / to be changed, resulting in denial of service conditions including failures in SSH, sudo, and package management. The root directory remains with restrictive permissions (0555), so the impact is limited to availability loss without further privilege escalation.
Potential Impact
The vulnerability leads to availability loss by allowing ownership changes of the root directory (/), disrupting critical system services such as SSH, sudo, and package management. It does not allow privilege escalation or write access to the root directory due to its restrictive permissions. The impact is classified as a severe denial of service on affected systems.
Mitigation Recommendations
Patch status is not yet confirmed — check the Red Hat advisory at https://access.redhat.com/security/cve/CVE-2026-15779 for current remediation guidance. Until an official fix is available, restrict sudo delegations that allow non-root users to run commands as accounts with / as their home directory, and consider disabling mkhomedir in pam_winbind if not required.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- redhat
- Date Reserved
- 2026-07-14T18:33:36.712Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Vendor Advisory Urls
- [{"url":"https://access.redhat.com/security/cve/CVE-2026-15779","vendor":"Red Hat"}]
Threat ID: 6a57853a68715ace43c142be
Added to database: 07/15/2026, 13:03:54 UTC
Last enriched: 07/15/2026, 13:18:49 UTC
Last updated: 07/15/2026, 13:33:05 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.