CVE-2025-0620: 
Samba vulnerability analysis and mitigation

CVE-2025-0620 is a security vulnerability in Samba affecting all versions starting with 4.21.0. The vulnerability was discovered and disclosed in June 2025, where Samba fails to properly handle group membership changes during SMB session re-authentication when using Kerberos authentication. This issue affects Samba's handling of user permissions and group memberships in Active Directory environments (Samba Security).

When using Kerberos authentication, SMB sessions have an associated lifetime that requires re-authentication upon expiration. During re-authentication, Samba receives updated group membership information but fails to reflect these changes in subsequent SMB request processing. This occurs due to a recent change in Samba's cache system that maintains associations between user impersonation information and connected shares (Openwall).

The vulnerability prevents group membership changes from taking effect until users disconnect and establish new connections to the server. This means that when an administrator removes a user from a particular group in Active Directory, the changes are not immediately enforced, potentially allowing users to retain access to resources they should no longer have access to (Samba Security).

The issue has been fixed in Samba 4.21.6. No workarounds are available for affected versions, making it necessary to upgrade to the patched version. The Samba Team decided not to issue a dedicated security release for this vulnerability (Openwall).