CVE-2025-9640

MEDIUM

Samba - Info Disclosure

Title source: llm

Description

A flaw was found in Samba, in the vfs_streams_xattr module, where uninitialized heap memory could be written into alternate data streams. This allows an authenticated user to read residual memory content that may include sensitive data, resulting in an information disclosure vulnerability.

References (6)

[Vendor Advisory] https://access.redhat.com/security/cve/CVE-2025-9640

[Issue Tracking] https://bugzilla.redhat.com/show_bug.cgi?id=2391698

[Various Sources] https://www.samba.org/samba/history/security.html

[Mailing List] http://www.openwall.com/lists/oss-security/2025/10/15/2

[Mailing List] http://www.openwall.com/lists/oss-security/2025/10/16/2

[Mailing List] https://lists.debian.org/debian-lts-announce/2025/11/msg00027.html

Scores

CVSS v3 4.3

EPSS 0.0009

EPSS Percentile 25.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Classification

CWE

CWE-908

Status draft

Timeline

Published Oct 15, 2025

Tracked Since Feb 18, 2026