CVE-2025-20890

High

Published: 04 February 2025

Published

04 February 2025

Modified

12 February 2025

KEV Added

—

Patch

—

CVSS Score 7.0 CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0011 29.1th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-20890 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Samsung Android. Its CVSS base score is 7.0 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 29.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the out-of-bounds write vulnerability by applying the vendor-provided patch in SMR Jan-2025 Release 1.

SI-16 Memory Protection good match

prevent

Provides memory protections such as address space layout randomization and stack guards to block exploitation of the out-of-bounds write for arbitrary code execution.

SI-10 Information Input Validation partial match

prevent

Validates inputs to the frame buffer decoder to restrict malformed data that could trigger the out-of-bounds write during decoding.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

Out-of-bounds write enables local arbitrary code execution with elevated privileges, directly mapping to exploitation for privilege escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Out-of-bounds write in decoding frame buffer in libsthmbc.so prior to SMR Jan-2025 Release 1 allows local attackers to execute arbitrary code with privilege. User interaction is required for triggering this vulnerability.

Deeper analysisAI

CVE-2025-20890 is an out-of-bounds write vulnerability (CWE-787) in the decoding frame buffer of libsthmbc.so, affecting versions prior to SMR Jan-2025 Release 1. Published on 2025-02-04 with a CVSS v3.1 base score of 7.0 (AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H), it enables local attackers to execute arbitrary code with elevated privileges.

Local attackers with no required privileges can exploit this vulnerability, but it demands high attack complexity and user interaction to trigger. Successful exploitation allows arbitrary code execution with privileges, potentially leading to full system compromise on affected Samsung devices.

Samsung's security update advisory for January 2025, available at https://security.samsungmobile.com/securityUpdate.smsb?year=2025&month=01, addresses this issue through the SMR Jan-2025 Release 1, which practitioners should apply to mitigate the vulnerability.

Details

CWE(s): CWE-787

Affected Products

samsung

android

12.0, 13.0, 14.0

CVEs Like This One

CVE-2025-20888Same product: Samsung Android

CVE-2025-20882Same product: Samsung Android

CVE-2025-20881Same product: Samsung Android

CVE-2025-21042Same product: Samsung Android

CVE-2026-20979Same product: Samsung Android

CVE-2026-20983Same product: Samsung Android

CVE-2025-21043Same product: Samsung Android

CVE-2026-21010Same product: Samsung Android

CVE-2026-20971Same product: Samsung Android

CVE-2026-20970Same product: Samsung Android

References

https://security.samsungmobile.com/securityUpdate.smsb?year=2025&month=01
Vendor Advisory · mobile.security@samsung.com