CVE-2025-20918

Medium

Published: 06 March 2025

Published

06 March 2025

Modified

16 July 2025

KEV Added

—

Patch

—

CVSS Score 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0023 45.8th percentile

Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-20918 is a medium-severity Out-of-bounds Read (CWE-125) vulnerability in Samsung Notes. Its CVSS base score is 5.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 45.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Data from Local System (T1005). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely remediation by updating Samsung Notes to version 4.4.26.71 or later, directly eliminating the out-of-bounds read vulnerability.

SI-16 Memory Protection good match

prevent

Enforces memory protection mechanisms such as bounds checking and address space layout randomization to prevent out-of-bounds reads disclosing sensitive memory.

SI-10 Information Input Validation partial match

prevent

Validates extra data inputs applied to base content in Samsung Notes to block malformed data triggering the out-of-bounds read.

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

Why these techniques?

The out-of-bounds read enables local memory disclosure of application or process data, directly facilitating collection of sensitive information from the local system.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

NVD Description

Out-of-bounds read in applying extra data of base content in Samsung Notes prior to version 4.4.26.71 allows attackers to read out-of-bounds memory.

Deeper analysisAI

CVE-2025-20918 is an out-of-bounds read vulnerability (CWE-125) in the Samsung Notes application prior to version 4.4.26.71. The flaw occurs when applying extra data of base content, enabling attackers to read memory outside the intended bounds. It has a CVSS v3.1 base score of 5.5 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N), rated as medium severity due to its local confidentiality impact.

A local attacker with low privileges can exploit this vulnerability without user interaction. By triggering the out-of-bounds read during content processing in Samsung Notes, the attacker can disclose sensitive information from memory, such as application data or potentially other process memory, though it does not allow integrity modification or denial of service.

Samsung's security advisory for March 2025, available at https://security.samsungmobile.com/serviceWeb.smsb?year=2025&month=03, addresses this issue. Mitigation involves updating Samsung Notes to version 4.4.26.71 or later, which resolves the out-of-bounds read in base content handling.

Details

CWE(s): CWE-125

Affected Products

samsung

notes

≤ 4.4.26.71

CVEs Like This One

CVE-2025-20920Same product: Samsung Notes

CVE-2025-20914Same product: Samsung Notes

CVE-2025-20922Same product: Samsung Notes

CVE-2025-20915Same product: Samsung Notes

CVE-2025-20916Same product: Samsung Notes

CVE-2025-20919Same product: Samsung Notes

CVE-2025-20921Same product: Samsung Notes

CVE-2025-20917Same product: Samsung Notes

CVE-2025-20931Same product: Samsung Notes

CVE-2025-20929Same product: Samsung Notes

References

https://security.samsungmobile.com/serviceWeb.smsb?year=2025&month=03
Vendor Advisory · mobile.security@samsung.com