CVE-2025-0620: 
Samba vulnerability analysis and mitigation

A vulnerability (CVE-2025-0620) was discovered in Samba versions 4.21.0 and later, affecting the smbd service daemon. The vulnerability relates to how the system handles group membership changes during SMB session re-authentication. This flaw was initially reported by Anoop C S of the Samba Team and was publicly disclosed in June 2025 (Samba Security, OSS Security).

The vulnerability occurs specifically with Kerberos authentication in SMB sessions. When a session expires and requires re-authentication, Samba receives updated group membership information but fails to reflect these changes in subsequent SMB request processing. This issue stems from Samba's cache mechanism that maintains associations between user impersonation information and connected shares. The vulnerability has been assigned a CVSS 3.1 Base Score of 6.6 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H (NVD).

The primary impact of this vulnerability is that changes to user group memberships in Active Directory are not properly enforced until users disconnect and reconnect to the server. This means that if an administrator removes a user from a particular group, the access restrictions won't take effect immediately, potentially allowing unauthorized access to file shares (Samba Security).

The Samba Team has addressed this vulnerability in version 4.21.6. No direct workarounds are available for affected versions. The only way to ensure group membership changes take effect is to have users disconnect and reconnect to the server (OSS Security).