CVE-2025-0620.html:
===========================================================
== Subject: smbd doesn't pick up group membership changes
== when re-authenticating an expired SMB session
==
== CVE ID#: CVE-2025-0620
==
== Versions: All versions starting with 4.21.0
==
== Summary: When using Kerberos authentication with SMB,
== smbd doesn't pick up group membership changes
== when re-authenticating an expired SMB session
===========================================================
===========
Description
===========
With Kerberos authentication SMB sessions typically have an
associated lifetime, requiring re-authentication by the
client when the session expires. As part of the
re-authentication, Samba receives the current group
membership information and is expected to reflect this
change in further SMB request processing.
For historic reasons, Samba maintains a cache of
associations between a user's impersonation information and
connected shares. A recent change in this cache caused Samba
to not reflect group membership changes from session
re-authentication when processing further SMB requests.
As a result, when an administrator removes a user from a
particular group in Active Directory, this change will not
become effective unless the user disconnects from the server
and establishes a new connection.
==================
Patch Availability
==================
The Samba Team decided not to issue a dedicated security release,
see https://wiki.samba.org/index.php/Samba_Security_Process.
See https://bugzilla.samba.org/show_bug.cgi?id=15707
==================
CVSSv4 calculation
==================
CVSS 4.0: AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/S:N/AU:N/R:I/V:C/RE:L (7)
==========
Workaround
==========
None.
=======
Credits
=======
Originally reported by Anoop C S of the Samba Team.
Patch provided by Ralph Boehme of the Samba team.
==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================