CVE-2025-9640.html:

===========================================================
== Subject:     uninitialized memory disclosure via vfs_streams_xattr
==
== CVE ID#:     CVE-2025-9640
==
== Versions:    All versions since 3.2
==
== Summary:     Uninitialised memory can be written into alternate data
==              streams, possibly leaking sensitive data.
===========================================================

===========
Description
===========

An authenticated user can read an unlimited number of samples of
discarded heap memory, due to a failure to initialise memory in
streams_xattr_pwrite() in the vfs_streams_xattr file server module.

This is achieved by issuing write requests that creates holes in the
file.

Samba erases known secrets before freeing the associated memory, which
somewhat mitigates the data leak.

==================
Patch Availability
==================

Patches addressing this issues have been posted to:

    https://www.samba.org/samba/security/

Additionally, Samba 4.23.2, 4.22.5, and 4.21.9 have been issued as
security releases to correct the defect. Samba administrators are
advised to upgrade to these releases or apply the patch as soon as
possible.

====================
CVSSv3.1 calculation
====================

AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N (4.3)

==========
Workaround
==========

Systems that don't use vfs_streams_xattr are not affected. If you are
not sure, look for the string "streams_xattr" in your smb.conf. If
there is a line like this

    vfs objects = streams_xattr [and possibly other terms]

removing 'streams_xattr' from the 'vfs objects' list will avoid the
vulnerability but will affect functionality.

=======
Credits
=======

Reported and fixed by Andrew Walker of IX Systems and the Samba Team.

This advisory written by Douglas Bagnall of Catalyst IT and the Samba
Team.

==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================