CVE-2021-25394
Published: 11 June 2021
Summary
CVE-2021-25394 is a medium-severity Use After Free (CWE-416) vulnerability in Samsung Android. Its CVSS base score is 6.4 (Medium).
Operationally, ranked in the top 36.9% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-6 (Least Privilege).
Deeper analysis
CVE-2021-25394 is a use-after-free vulnerability (CWE-416) resulting from a race condition (CWE-362) in the MFC charger driver on Samsung mobile devices. It affects builds prior to the SMR MAY-2021 Release 1 security maintenance update and carries a CVSS 3.1 score of 6.4 reflecting local access, high attack complexity, and high privileges required.
An attacker who has already obtained radio-level privileges on the device can exploit the flaw to perform an arbitrary kernel write. Successful exploitation grants the ability to corrupt memory and potentially escalate privileges or achieve further code execution within the kernel context.
Samsung's May 2021 security bulletin addresses the issue by shipping the corrected MFC charger driver in SMR MAY-2021 Release 1 and subsequent monthly updates. The vulnerability is also catalogued by CISA as actively exploited in the wild, indicating that in-the-field attacks have been observed.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-12290
Vulnerability details
A use after free vulnerability via race condition in MFC charger driver prior to SMR MAY-2021 Release 1 allows arbitrary write given a radio privilege is compromised.
- CWE(s)
- KEV Date Added
- 29 June 2023
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely application of the SMR MAY-2021 patch that eliminates the race condition and use-after-free in the MFC charger driver.
Enforces least privilege so that compromise of radio-level rights does not automatically grant the kernel write capability described in the CVE.
Process isolation limits the blast radius of a use-after-free in a kernel driver, preventing arbitrary memory corruption from escaping the compromised radio context.