Douglas Bagnall found, using HongFuzz a free() of uninitialised data in the generated code for ASN.1.
The initial case is in the KrbFastArmoredReq, thankfully something Samba doesn't have a codepath to, however as the issue is generic we need to be careful in case another case is used.
(Samba will have a codepath to KrbFastArmoredReq once the Heimdal upgrade is merged from https://gitlab.com/samba-team/samba/-/merge_requests/2014 )
The other codepaths towards this are in rfc2459 but a careful analysis shows that because the enums chosen by the compiler all start with value 1 and the structure is zeroed with a memset(data, 0, sizeof(*data)).
Therefore production Samba is not impacted.
Removing embargo as Heimdal has released with this. Samba will look to include the fix for this, for Samba 4.15 (which doesn't use a modern Heimdal and the template compiler) in the next security release on a 'to be sure' basis.