CVE-2014-3560

NetBIOS name services daemon (nmbd) in Samba 4.0.x before 4.0.21 and 4.1.x before 4.1.11 allows remote attackers to execute arbitrary code via unspecified vectors that modify heap memory, involving a sizeof operation on an incorrect variable in the unstrcpy macro in string_wrappers.h.

Published: 2014-08-06 Last update: 2026-05-06 Assigner: [email protected] Source: [email protected]
NVD Status:ModifiedCVE State: published
View at NVD, CVE.org, EUVD

CVE-2014-3560 is rated Moderate Risk (63.8/100): CVSS High severity, with high exploitation likelihood (EPSS 71.95%, 99th percentile). EPSS ranks this CVE among the most likely to be exploited in the near term. High exploitation likelihood—assess exposure and prioritize remediation.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2014-3560

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-03-22 74.28% 71.95% -2.33%
2 2025-12-14 58.38% 74.28% +15.91%
3 2025-11-30 58.38%

Full EPSS history (13 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2014-3560

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
7.9 2.0 HIGH
AV:A/AC:M/Au:N/C:C/I:C/A:C Click to expand
Access vector (AV:A)
Requires access to an adjacent network segment.
Access complexity (AC:M)
Exploitation needs some favorable conditions, but not exceptional ones.
Authentication (AU:N)
No authentication is required.
Confidentiality impact (C:C)
Complete confidentiality impact.
Integrity impact (I:C)
Complete integrity impact.
Availability impact (A:C)
Complete availability impact.
 5.5 10.0 [email protected]

Weakness enumeration for CVE-2014-3560

OS Trackers for CVE-2014-3560

vendor priority summary link
debian not yet assigned CVE-2014-3560 not yet assigned priority: Debian including 1 source packages (samba), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. https://security-tracker.debian.org/tracker/CVE-2014-3560
redhat high https://access.redhat.com/security/cve/CVE-2014-3560
suse high CVE-2014-3560 severity important: SUSE including 543 source package names (ctdb-4.10.5+git.129.35f7bb6e177-1.1, ctdb-4.22.3+git.401.c70158430cc-160000.2.2, …), 888 product×package rows across 27 product lines (SUSE Liberty Linux 7, SUSE Linux Enterprise Desktop 12, … (27 product lines)): Fixed 888. https://www.suse.com/security/cve/CVE-2014-3560/
ubuntu high CVE-2014-3560 high priority: Ubuntu including 2 source packages (samba, samba4), 20 status rows across 10 suites (lucid, precise, trusty, upstream, utopic, vivid, wily, xenial, yakkety, zesty): released 9, DNE 7, ignored 2, not-affected 2. https://ubuntu.com/security/CVE-2014-3560

Affected software / configurations for CVE-2014-3560

Vendor Product Version Raw CPE
canonical ubuntu_linux 14.04 cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
redhat enterprise_linux 6.0 cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*
redhat enterprise_linux 7.0 cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
samba samba 4.1.0 cpe:2.3:a:samba:samba:4.1.0:*:*:*:*:*:*:*
samba samba 4.1.1 cpe:2.3:a:samba:samba:4.1.1:*:*:*:*:*:*:*
samba samba 4.1.2 cpe:2.3:a:samba:samba:4.1.2:*:*:*:*:*:*:*
samba samba 4.1.3 cpe:2.3:a:samba:samba:4.1.3:*:*:*:*:*:*:*
samba samba 4.1.4 cpe:2.3:a:samba:samba:4.1.4:*:*:*:*:*:*:*
samba samba 4.1.5 cpe:2.3:a:samba:samba:4.1.5:*:*:*:*:*:*:*
samba samba 4.1.6 cpe:2.3:a:samba:samba:4.1.6:*:*:*:*:*:*:*
samba samba 4.1.7 cpe:2.3:a:samba:samba:4.1.7:*:*:*:*:*:*:*
samba samba 4.1.8 cpe:2.3:a:samba:samba:4.1.8:*:*:*:*:*:*:*
samba samba 4.1.9 cpe:2.3:a:samba:samba:4.1.9:*:*:*:*:*:*:*
samba samba 4.1.10 cpe:2.3:a:samba:samba:4.1.10:*:*:*:*:*:*:*
samba samba 4.0.0 cpe:2.3:a:samba:samba:4.0.0:*:*:*:*:*:*:*
samba samba 4.0.1 cpe:2.3:a:samba:samba:4.0.1:*:*:*:*:*:*:*
samba samba 4.0.2 cpe:2.3:a:samba:samba:4.0.2:*:*:*:*:*:*:*
samba samba 4.0.3 cpe:2.3:a:samba:samba:4.0.3:*:*:*:*:*:*:*
samba samba 4.0.4 cpe:2.3:a:samba:samba:4.0.4:*:*:*:*:*:*:*
samba samba 4.0.5 cpe:2.3:a:samba:samba:4.0.5:*:*:*:*:*:*:*
samba samba 4.0.6 cpe:2.3:a:samba:samba:4.0.6:*:*:*:*:*:*:*
samba samba 4.0.7 cpe:2.3:a:samba:samba:4.0.7:*:*:*:*:*:*:*
samba samba 4.0.8 cpe:2.3:a:samba:samba:4.0.8:*:*:*:*:*:*:*
samba samba 4.0.9 cpe:2.3:a:samba:samba:4.0.9:*:*:*:*:*:*:*
samba samba 4.0.10 cpe:2.3:a:samba:samba:4.0.10:*:*:*:*:*:*:*
samba samba 4.0.11 cpe:2.3:a:samba:samba:4.0.11:*:*:*:*:*:*:*
samba samba 4.0.12 cpe:2.3:a:samba:samba:4.0.12:*:*:*:*:*:*:*
samba samba 4.0.13 cpe:2.3:a:samba:samba:4.0.13:*:*:*:*:*:*:*
samba samba 4.0.14 cpe:2.3:a:samba:samba:4.0.14:*:*:*:*:*:*:*
samba samba 4.0.15 cpe:2.3:a:samba:samba:4.0.15:*:*:*:*:*:*:*
samba samba 4.0.16 cpe:2.3:a:samba:samba:4.0.16:*:*:*:*:*:*:*
samba samba 4.0.17 cpe:2.3:a:samba:samba:4.0.17:*:*:*:*:*:*:*
samba samba 4.0.18 cpe:2.3:a:samba:samba:4.0.18:*:*:*:*:*:*:*
samba samba 4.0.19 cpe:2.3:a:samba:samba:4.0.19:*:*:*:*:*:*:*
samba samba 4.0.20 cpe:2.3:a:samba:samba:4.0.20:*:*:*:*:*:*:*

References for CVE-2014-3560

URL Tags
http://lists.fedoraproject.org/pipermail/package-announce/2014-August/136280.html
http://lists.fedoraproject.org/pipermail/package-announce/2014-August/136864.html
http://lists.opensuse.org/opensuse-updates/2014-08/msg00027.html
http://secunia.com/advisories/59583
http://secunia.com/advisories/59610
http://secunia.com/advisories/59976
http://www.samba.org/samba/security/CVE-2014-3560 Vendor Advisory
http://www.securityfocus.com/bid/69021
http://www.securitytracker.com/id/1030663
http://www.ubuntu.com/usn/USN-2305-1
https://bugzilla.redhat.com/show_bug.cgi?id=1126010
https://exchange.xforce.ibmcloud.com/vulnerabilities/95081
https://git.samba.org/?p=samba.git%3Ba=commitdiff%3Bh=e6a848630da3ba958c442438ea131c99fa088605
https://git.samba.org/?p=samba.git%3Ba=commitdiff%3Bh=fb1d325d96dfe9bc2e9c4ec46ad4c55e8f18f4a2
cvelogic Threat Intelligence