Three new versions of Samba, 4.23.2, 4.22.5, and 4.21.9, have been released with critical security updates to fix serious flaws in the open-source SMB and Active Directory protocols. The updates address two vulnerabilities: CVE-2025-9640, which can lead to data breaches by exposing uninitialized memory, and CVE-2025-10230, a WINS support issue that allows attackers to send malicious commands to compromised hosts. These issues highlight the importance of keeping Samba systems up-to-date to prevent security problems. Users are advised to update their systems as soon as possible to ensure the latest security patches are installed.

Samba 4.23.2, 4.22.5, and 4.21.9 released

Samba 4.23.2, 4.22.5, and 4.21.9 now have a new set of security updates that fix serious flaws in the open-source versions of the SMB and Active Directory protocols.



These security fixes are crucial because they fix problems that could let people who shouldn't have access to systems or data breaches happen on systems that are weak. CVE-2025-9640 is one of these weaknesses. It affects Samba's vfs_streams_xattr module for file serving because it exposes uninitialized memory.

When you look more closely, it's clear that this bug is caused by the streams_xattr_pwrite() function not initializing memory properly. An authenticated user can take advantage of this flaw by sending write requests with certain parameters, which will eventually make holes in files on the affected Samba system.

Samba does have some ways to stop this data leak, like deleting known secrets before freeing up memory, but these aren't enough to completely stop the problem. An attacker can still change heap memory that has been thrown away by sending these malicious write requests over and over again. This vulnerability could lead to serious security problems.

Also, CVE-2025-10230 has found another serious weakness. This bug only affects Samba servers that have WINS support turned on (which is off by default). The way the WINS hook program runs every time a WINS name changes is what causes this problem. Sadly, the Samba Active Directory Domain Controller does not verify the names that are sent to the WINS hook script.

It gets even worse when you find out that the weak protocol WINS doesn't strictly check client requests for names, which could have shell metacharacters and other harmful codes in them. This would let an attacker send any commands they want to the compromised host and run them, which is a big risk.

It's important to note that this problem doesn't affect Samba servers that are set up as domain controllers because they don't use WINS in their configuration. Samba setups that aren't domain controllers won't be affected because they don't have WINS support turned on.

The tarballs have been signed with GnuPG (ID AA99442FB680B620). You can get the source code from this link.