CVE-2021-25489

CVSS 3.3 LOWEPSS 0.5%● KEVCWE-20

Vexday Risk Score

38Attention

SSVC decision (CISA)

Attend

PoC available → attend closely

CVSS 3.3EPSS 0.5%KEV simPoC —Nuclei —Metasploit —Patch —

Lifecycle

06 Oct 2021Published on NVD

29 Jun 2023Active exploitation (CISA KEV)

Recommendation: Plan a near-term fix — a public PoC already exists.

In short

A format string vulnerability in the modem interface driver allows an attacker with radio permission to crash the system kernel by sending specially crafted input that isn't properly validated.

Technical detail

The modem interface driver fails to validate user-supplied format strings before processing them, enabling a local attacker with radio privileges to trigger a format string attack that causes kernel panic. Exploitation requires prior radio permission and malicious input to the driver interface.

Summary generated and translated by AI from the official description.

Assuming radio permission is gained, missing input validation in modem interface driver prior to SMR Oct-2021 Release 1 results in format string bug leading to kernel panic.

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Affected products

Samsung Mobile · Samsung Mobile Devices

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://security.samsungmobile.com/securityUpdate.smsb?year=2021&month=10 https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-25489