Home
MEDIUM: 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NDefault status
unaffected
Any version before 4.21.9
affected
4.22.0 (semver) before 4.21.5
affected
4.23.0 (semver) before 4.23.2
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Description
A flaw was found in Samba, in the vfs_streams_xattr module, where uninitialized heap memory could be written into alternate data streams. This allows an authenticated user to read residual memory content that may include sensitive data, resulting in an information disclosure vulnerability.
Problem types
Product status
Any version before 4.21.9
4.22.0 (semver) before 4.21.5
4.23.0 (semver) before 4.23.2
Timeline
| 2025-08-29: | Reported to Red Hat. |
| 2025-10-15: | Made public. |
References
www.openwall.com/lists/oss-security/2025/10/15/2
www.openwall.com/lists/oss-security/2025/10/16/2
lists.debian.org/debian-lts-announce/2025/11/msg00027.html
access.redhat.com/security/cve/CVE-2025-9640
bugzilla.redhat.com/show_bug.cgi?id=2391698 (RHBZ#2391698)
www.samba.org/samba/history/security.html
