CVE-2025-9640: 
Samba vulnerability analysis and mitigation

A vulnerability (CVE-2025-9640) was discovered in Samba's vfsstreamsxattr module, affecting all versions since 3.2. The flaw allows an authenticated user to read unlimited samples of discarded heap memory due to uninitialized memory being written into alternate data streams. The vulnerability was discovered and reported by Andrew Walker of IX Systems and the Samba Team (Samba Security).

The vulnerability stems from a failure to initialize memory in streamsxattrpwrite() function within the vfsstreamsxattr file server module. The issue occurs when write requests create holes in the file. The vulnerability has been assigned a CVSS v3.1 score of 4.3 (Medium) with the vector string AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. The vulnerability is classified as CWE-908 (Use of Uninitialized Resource) (NVD, Samba Security).

The vulnerability allows authenticated users to read residual memory content that may contain sensitive data. However, Samba's practice of erasing known secrets before freeing the associated memory somewhat mitigates the potential impact of the data leak (Samba Security).

Systems that don't use vfsstreamsxattr are not affected. As a workaround, administrators can check their smb.conf for the string 'streams_xattr' and remove it from the 'vfs objects' list, though this will affect functionality. For a permanent fix, patches have been released, and Samba versions 4.23.2, 4.22.5, and 4.21.9 have been issued as security releases to correct the defect. Samba administrators are advised to upgrade to these releases or apply the patch as soon as possible (Samba Security).