← back
CVE-2021-25487

CVE-2021-25487

CVSS 7.3 HIGHEPSS 0.6%● KEVCWE-125
Vexday Risk Score
51Attention
SSVC decision (CISA)
Act
Exploitation + impact → act immediately
CVSS 7.3EPSS 0.6%KEV simPoC Patch
Lifecycle
06 Oct 2021Published on NVD
29 Jun 2023Active exploitation (CISA KEV)
Recommendation: Patch as soon as possible — active exploitation confirmed.
In short

A modem driver fails to check buffer boundaries, allowing someone to read memory beyond intended limits and potentially execute malicious code by manipulating function pointers.

Technical detail

CWE-125 out-of-bounds read in set_skb_priv() function lacks input validation on buffer operations, enabling information disclosure and arbitrary code execution through invalid function pointer dereference. Exploitation requires interaction with the modem interface driver prior to SMR Oct-2021 Release 1 patches.

Summary generated and translated by AI from the official description.
Lack of boundary checking of a buffer in set_skb_priv() of modem interface driver prior to SMR Oct-2021 Release 1 allows OOB read and it results in arbitrary code execution by dereference of invalid function pointer.
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
Affected products
Samsung Mobile · Samsung Mobile Devices

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://security.samsungmobile.com/securityUpdate.smsb?year=2021&month=10https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-25487