CVE-2021-25487
Published: 06 October 2021
Summary
CVE-2021-25487 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Samsung Android. Its CVSS base score is 7.3 (High).
Operationally, ranked in the top 14.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
The vulnerability is an out-of-bounds read (CWE-125) caused by missing boundary checks on a buffer inside the set_skb_priv() function of the modem interface driver. It affects Samsung devices running versions of this driver prior to the SMR Oct-2021 Release 1 and carries a CVSS 3.1 score of 7.3 with local attack vector, low complexity, and low privileges required.
A local attacker who can reach the modem interface driver can trigger the OOB read, which leads to dereferencing an invalid function pointer and subsequent arbitrary code execution. The impact includes high confidentiality exposure and limited integrity modification within a changed security scope, while availability remains unaffected.
Samsung's October 2021 security bulletin addresses the issue through the SMR Oct-2021 Release 1 update that corrects the missing bounds check. The vulnerability is also catalogued by CISA among known exploited vulnerabilities, indicating that device operators should apply the vendor patch as a priority mitigation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-12383
Vulnerability details
Lack of boundary checking of a buffer in set_skb_priv() of modem interface driver prior to SMR Oct-2021 Release 1 allows OOB read and it results in arbitrary code execution by dereference of invalid function pointer.
- CWE(s)
- KEV Date Added
- 29 June 2023
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces boundary and range checks on data supplied to set_skb_priv() to block the OOB read that precedes invalid function-pointer dereference.
Requires timely application of the vendor patch (SMR Oct-2021 Release 1) that supplies the missing bounds check inside the modem driver.
Memory-protection mechanisms (DEP, ASLR) raise the difficulty of converting the resulting invalid function-pointer dereference into reliable arbitrary code execution.