Cyber Resilience

CVE-2025-20921

Medium

Published: 06 March 2025

Published
06 March 2025
Modified
16 July 2025
KEV Added
Patch
CVSS Score v3.1 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0023 46.1th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-20921 is a medium-severity Out-of-bounds Read (CWE-125) vulnerability in Samsung Notes. Its CVSS base score is 5.5 (Medium).

Operationally, ranked at the 46.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-20921 is an out-of-bounds read vulnerability (CWE-125) affecting Samsung Notes versions prior to 4.4.26.71. The flaw occurs during the application of binary data to text content, enabling attackers to access memory outside the intended boundaries.

Exploitation requires local access, low attack complexity, and low privileges, with no user interaction needed. A successful attack yields high confidentiality impact by disclosing sensitive out-of-bounds memory contents, while integrity and availability remain unaffected (CVSS 5.5: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).

Samsung's security advisory for March 2025, accessible at https://security.samsungmobile.com/serviceWeb.smsb?year=2025&month=03, addresses the issue, with mitigation achieved by updating to Samsung Notes version 4.4.26.71 or later.

EU & UK References

Vulnerability details

Out-of-bounds read in applying binary of text content in Samsung Notes prior to version 4.4.26.71 allows attackers to read out-of-bounds memory.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

Insufficient information to map techniques.
Confidence: LOW · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-20916Same product: Samsung Notes
CVE-2025-20918Same product: Samsung Notes
CVE-2025-20922Same product: Samsung Notes
CVE-2025-20915Same product: Samsung Notes
CVE-2025-20914Same product: Samsung Notes
CVE-2025-20919Same product: Samsung Notes
CVE-2025-20917Same product: Samsung Notes
CVE-2025-20920Same product: Samsung Notes
CVE-2025-20931Same product: Samsung Notes
CVE-2025-20929Same product: Samsung Notes

Affected Assets

samsung
notes
≤ 4.4.26.71

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates timely remediation of known flaws like CVE-2025-20921 through vendor patches such as Samsung Notes 4.4.26.71.

prevent

Implements memory protection mechanisms that prevent exploitation of out-of-bounds read vulnerabilities by restricting unauthorized memory access.

prevent

Requires validation of information inputs like binary data applied to text content, mitigating malformed inputs that trigger the out-of-bounds read.

References