{
  "variant_id": "CVE-2026-4480-spoolss-rpc-startdocprinter",
  "created_at": "2026-07-12T22:02:39Z",
  "variant_summary": "Alternate trigger for CVE-2026-4480 via spoolss RPC StartDocPrinter(pDocName) instead of SMB file open on printable share. Both paths converge at generic_job_submit() -> print_run_command() -> smbrun_no_sanitize() -> system(). The spoolss RPC document_name is not subject to SMB filename character restrictions. Confirmed as alternate trigger on vulnerable 4.22.9, blocked on fixed 4.22.10 — NOT a bypass.",
  "relation": "newer_version_sibling",
  "origin_kind": "pruva_variant",
  "repository": "https://github.com/samba-team/samba.git",
  "submitted_target": {
    "target_kind": "git_tag",
    "version": "4.22.9",
    "ref": "samba-4.22.9",
    "commit_sha": "ff3dd691f38e23f9ea8d18376df1b24ea9b335b6",
    "display": "samba-4.22.9 (ff3dd69)"
  },
  "variant_target": {
    "target_kind": "git_tag",
    "version": "4.22.10",
    "ref": "samba-4.22.10",
    "commit_sha": "0abfaceda097f447ac0284db9f639dabc5070595",
    "display": "samba-4.22.10 (0abface) - fixed version"
  },
  "same_root_cause_confidence": "high",
  "same_surface_confidence": "high",
  "claimed_surface": "network_protocol",
  "validated_surface": "network_protocol",
  "required_entrypoint_kind": "tcp_peer",
  "required_entrypoint_detail": "spoolss RPC StartDocPrinter(pDocName) over SMB pipe \\pipe\\spoolss (TCP 445, guest/anonymous); MS-RPRN opnum 17 with crafted pDocName in DOC_INFO_1",
  "attacker_controlled_input": "document_name string in spoolss RPC StartDocPrinter DOC_INFO_1 (pDocName field, UTF-16, not subject to SMB filename restrictions)",
  "trigger_path": "TCP 445 -> SMB guest login -> DCERPC bind to \\pipe\\spoolss (UUID 12345678-1234-ABCD-EF00-0123456789AB) -> RpcOpenPrinter (opnum 1) -> RpcStartDocPrinter (opnum 17, pDocName='PWN&&id&&touch spoolss_marker&&END') -> RpcWritePrinter (opnum 19) -> RpcEndDocPrinter (opnum 23) -> print_job_end -> generic_job_submit -> print_run_command -> talloc_string_sub(%J, jobname) -> smbrun_no_sanitize -> system() with unescaped shell metacharacters",
  "observed_impact_class": "code_execution",
  "exploitability_confidence": "high",
  "evidence_scope": "production_path",
  "runtime_manifest_present": true,
  "end_to_end_target_reached": true,
  "inferred": false,
  "claim_block_reason": null,
  "blocking_mitigation": "replace_print_cmd_J() in generic_job_submit() masks all unsafe characters and wraps jobname in single quotes at the sink, covering both SMB file open and spoolss RPC entry points",
  "file_path": "source3/printing/print_generic.c",
  "line_start": 261,
  "line_end": 350,
  "secondary_anchors": [
    {
      "file_path": "source3/rpc_server/spoolss/srv_spoolss_nt.c",
      "line_start": 5959,
      "line_end": 6040
    },
    {
      "file_path": "source3/printing/printspoolss.c",
      "line_start": 58,
      "line_end": 120
    },
    {
      "file_path": "lib/util/substitute.c",
      "line_start": 337,
      "line_end": 540
    }
  ],
  "review_scope_paths": [
    "source3/printing/print_generic.c",
    "source3/rpc_server/spoolss/srv_spoolss_nt.c",
    "source3/printing/printspoolss.c",
    "source3/printing/printing.c",
    "source3/smbd/open.c",
    "source3/smbd/smb2_create.c",
    "source3/smbd/smb1_reply.c",
    "lib/util/substitute.c",
    "lib/util/substitute.h"
  ],
  "artifact_refs": {
    "variant_manifest": "bundle/vuln_variant/variant_manifest.json",
    "validation_verdict": "bundle/vuln_variant/validation_verdict.json",
    "runtime_manifest": "bundle/vuln_variant/runtime_manifest.json",
    "repro_log": "bundle/logs/vuln_variant/variant_repro.log",
    "root_cause_equivalence": "bundle/vuln_variant/root_cause_equivalence.json",
    "reproducer": [
      "bundle/vuln_variant/reproduction_steps.sh",
      "bundle/vuln_variant/spoolss_exploit.py"
    ]
  }
}
