CVE-2021-25372
Published: 26 March 2021
Summary
CVE-2021-25372 is a medium-severity Out-of-bounds Write (CWE-787) vulnerability in Samsung Android. Its CVSS base score is 6.1 (Medium).
Operationally, ranked in the top 17.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
The vulnerability is an improper boundary check in the DSP driver that permits out of bounds memory access. It affects the DSP driver in Samsung devices prior to the SMR Mar-2021 Release 1, as indicated by the associated CWEs for out-of-bounds write and improper check or handling of exceptional conditions.
Exploitation requires physical access to the device along with high attack complexity and high privileges, after which an attacker can achieve high impact on confidentiality, integrity, and availability. The CVSS vector confirms the attack is local and does not rely on user interaction.
Samsung security advisories direct users to apply the March 2021 maintenance release that resolves the issue in the DSP driver. The vulnerability appears in the CISA Known Exploited Vulnerabilities catalog, confirming observed real-world exploitation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-12268
Vulnerability details
An improper boundary check in DSP driver prior to SMR Mar-2021 Release 1 allows out of bounds memory access.
- CWE(s)
- KEV Date Added
- 29 June 2023
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely application of the March 2021 DSP driver patch that eliminates the improper boundary check.
Enforces input validation and boundary checking that would have prevented the out-of-bounds memory access in the DSP driver.
Provides memory-protection mechanisms that can contain or block exploitation of the out-of-bounds read/write condition.