CVE-2025-9640: 
Samba vulnerability analysis and mitigation

A flaw was found in Samba, specifically in the vfsstreamsxattr module, where uninitialized heap memory could be written into alternate data streams. This vulnerability (CVE-2025-9640) affects all versions of Samba since 3.2 and was discovered and fixed in October 2025. The vulnerability allows an authenticated user to read residual memory content that may include sensitive data, resulting in an information disclosure vulnerability (Samba Security, NVD).

The vulnerability exists in the streamsxattrpwrite() function within the vfsstreamsxattr file server module. The issue occurs when write requests create holes in the file, allowing an authenticated user to read an unlimited number of samples of discarded heap memory. The vulnerability has been assigned a CVSS v3.1 base score of 4.3 (MEDIUM) with the vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N (Samba Security).

The vulnerability allows authenticated users to read residual memory content that may contain sensitive data. However, the impact is somewhat mitigated as Samba erases known secrets before freeing the associated memory (Samba Security).

Systems that don't use vfsstreamsxattr are not affected. Users can check their smb.conf file for the string 'streamsxattr'. If there is a line containing 'vfs objects = streamsxattr', removing 'streams_xattr' from the 'vfs objects' list will avoid the vulnerability, though this will affect functionality. Additionally, patches have been released in Samba versions 4.23.2, 4.22.5, and 4.21.9 to address this issue (Samba Security).