Cyber Resilience

CVE-2021-25489

LowCISA KEVActive ExploitationEUVD Exploited

Published: 06 October 2021

Published
06 October 2021
Modified
30 October 2025
KEV Added
29 June 2023
Patch
CVSS Score v3.1 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
EPSS Score 0.0035 57.5th percentile
Risk Priority 27 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-25489 is a low-severity Improper Input Validation (CWE-20) vulnerability in Samsung Android. Its CVSS base score is 3.3 (Low).

Operationally, ranked in the top 42.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2021-25489 is a format string vulnerability resulting from missing input validation in the modem interface driver on affected Samsung devices. The flaw, present prior to the SMR Oct-2021 Release 1, is tracked under CWE-20 and CWE-134 and can be triggered when radio permissions have already been obtained, ultimately causing a kernel panic.

An attacker with local access and the ability to exercise radio permissions can supply malicious input to the driver, leading to denial of service through the resulting kernel panic. The CVSS 3.3 score reflects limited impact consisting solely of low availability loss with no confidentiality or integrity effects.

Samsung's October 2021 security bulletin addresses the issue via the SMR Oct-2021 Release 1 update. The vulnerability is also catalogued by CISA as one known to have been exploited in the wild.

EU & UK References

Vulnerability details

Assuming radio permission is gained, missing input validation in modem interface driver prior to SMR Oct-2021 Release 1 results in format string bug leading to kernel panic.

CWE(s)
KEV Date Added
29 June 2023

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

samsung
android
10.0, 11.0, 8.1, 9.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of all input to the modem interface driver, eliminating the unsanitized format strings that trigger the kernel panic.

respondrecover

Mandates prompt application of the SMR Oct-2021 Release 1 patch that corrects the missing input validation in the driver.

prevent

Restricts which processes or apps may obtain radio permissions, reducing the attack surface that can reach the vulnerable modem interface.

References