CVE-2025-9640

A flaw was found in Samba, in the vfs_streams_xattr module, where uninitialized heap memory could be written into alternate data streams. This allows an authenticated user to read residual memory content that may include sensitive data, resulting in an information disclosure vulnerability.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
4.3 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
redhatCNA
4.3 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CISA-ADPADP
---
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Debian logo
Debian Releases
Debian Product
Codename
samba
bullseye (security)
vulnerable
bullseye
vulnerable
bookworm
vulnerable
bookworm (security)
vulnerable
trixie
vulnerable
forky
vulnerable
sid
2:4.23.2+dfsg-1
fixed
Common Weakness Enumeration
References
https://access.redhat.com/security/cve/CVE-2025-9640
https://bugzilla.redhat.com/show_bug.cgi?id=2391698
https://www.samba.org/samba/history/security.html