CVE-2021-25370
Published: 26 March 2021
Summary
CVE-2021-25370 is a medium-severity Use After Free (CWE-416) vulnerability in Samsung Android. Its CVSS base score is 6.1 (Medium).
Operationally, ranked in the top 34.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
The vulnerability CVE-2021-25370 stems from an incorrect implementation of file descriptor handling in the DPU driver, which produces memory corruption and a subsequent kernel panic. It affects Samsung devices running versions prior to the SMR Mar-2021 Release 1. The flaw is tracked under CWE-416 and CWE-703 and carries a CVSS 3.1 score of 6.1.
Exploitation requires physical access to a device, high attack complexity, and high privileges; successful attacks can produce high impacts on confidentiality, integrity, and availability, although the immediate technical outcome described is a kernel panic that crashes the system.
Samsung security bulletins for the March 2021 maintenance release contain the corresponding patches and device-specific remediation guidance. The CVE is also catalogued by CISA among known exploited vulnerabilities, confirming observed in-the-wild activity.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-12266
Vulnerability details
An incorrect implementation handling file descriptor in dpu driver prior to SMR Mar-2021 Release 1 results in memory corruption leading to kernel panic.
- CWE(s)
- KEV Date Added
- 08 November 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely installation of the vendor patch that corrects the file-descriptor handling flaw in the DPU driver.
Enforces memory-protection mechanisms that can block or contain the use-after-free / memory-corruption primitive described in the CVE.
Process isolation limits the blast radius of a kernel-memory corruption bug originating in a device driver.