Cyber Resilience

CVE-2021-25372

MediumCISA KEVActive ExploitationEUVD Exploited

Published: 26 March 2021

Published
26 March 2021
Modified
14 January 2026
KEV Added
29 June 2023
Patch
CVSS Score v3.1 6.1 CVSS:3.1/AV:P/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0176 83.0th percentile
Risk Priority 33 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-25372 is a medium-severity Out-of-bounds Write (CWE-787) vulnerability in Samsung Android. Its CVSS base score is 6.1 (Medium).

Operationally, ranked in the top 17.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

The vulnerability is an improper boundary check in the DSP driver that permits out of bounds memory access. It affects the DSP driver in Samsung devices prior to the SMR Mar-2021 Release 1, as indicated by the associated CWEs for out-of-bounds write and improper check or handling of exceptional conditions.

Exploitation requires physical access to the device along with high attack complexity and high privileges, after which an attacker can achieve high impact on confidentiality, integrity, and availability. The CVSS vector confirms the attack is local and does not rely on user interaction.

Samsung security advisories direct users to apply the March 2021 maintenance release that resolves the issue in the DSP driver. The vulnerability appears in the CISA Known Exploited Vulnerabilities catalog, confirming observed real-world exploitation.

EU & UK References

Vulnerability details

An improper boundary check in DSP driver prior to SMR Mar-2021 Release 1 allows out of bounds memory access.

CWE(s)
KEV Date Added
29 June 2023

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

samsung
android
10.0, 11.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of the March 2021 DSP driver patch that eliminates the improper boundary check.

prevent

Enforces input validation and boundary checking that would have prevented the out-of-bounds memory access in the DSP driver.

prevent

Provides memory-protection mechanisms that can contain or block exploitation of the out-of-bounds read/write condition.

References