Cyber Resilience

CVE-2021-25487

HighCISA KEVActive ExploitationEUVD Exploited

Published: 06 October 2021

Published
06 October 2021
Modified
30 October 2025
KEV Added
29 June 2023
Patch
CVSS Score v3.1 7.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
EPSS Score 0.0256 85.8th percentile
Risk Priority 36 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-25487 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Samsung Android. Its CVSS base score is 7.3 (High).

Operationally, ranked in the top 14.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

The vulnerability is an out-of-bounds read (CWE-125) caused by missing boundary checks on a buffer inside the set_skb_priv() function of the modem interface driver. It affects Samsung devices running versions of this driver prior to the SMR Oct-2021 Release 1 and carries a CVSS 3.1 score of 7.3 with local attack vector, low complexity, and low privileges required.

A local attacker who can reach the modem interface driver can trigger the OOB read, which leads to dereferencing an invalid function pointer and subsequent arbitrary code execution. The impact includes high confidentiality exposure and limited integrity modification within a changed security scope, while availability remains unaffected.

Samsung's October 2021 security bulletin addresses the issue through the SMR Oct-2021 Release 1 update that corrects the missing bounds check. The vulnerability is also catalogued by CISA among known exploited vulnerabilities, indicating that device operators should apply the vendor patch as a priority mitigation.

EU & UK References

Vulnerability details

Lack of boundary checking of a buffer in set_skb_priv() of modem interface driver prior to SMR Oct-2021 Release 1 allows OOB read and it results in arbitrary code execution by dereference of invalid function pointer.

CWE(s)
KEV Date Added
29 June 2023

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

samsung
android
10.0, 11.0, 8.1, 9.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces boundary and range checks on data supplied to set_skb_priv() to block the OOB read that precedes invalid function-pointer dereference.

prevent

Requires timely application of the vendor patch (SMR Oct-2021 Release 1) that supplies the missing bounds check inside the modem driver.

prevent

Memory-protection mechanisms (DEP, ASLR) raise the difficulty of converting the resulting invalid function-pointer dereference into reliable arbitrary code execution.

References