CVE-2021-25470 — Code Injection in Mobile Devices

CWE-94 — Code Injection CWE-863 — Incorrect Authorization3 documents3 sources

Severity

7.9HIGHNVD

EPSS

0.0%

top 87.92%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Samsung Mobile Devices Google Android

Timeline

PublishedOct 6

Latest updateMay 24

Description

An improper caller check logic of SMC call in TEEGRIS secure OS prior to SMR Oct-2021 Release 1 can be used to compromise TEE.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:NExploitability: 1.5 | Impact: 5.8

Affected Packages2 packages

▶CVEListV5samsung_mobile/samsung_mobile_devicesSelect P(9.0), Q(10.0), R(11.0) devices with Exynos and Mediatek chipsets — SMR Oct-2021 Release 1

▶NVDgoogle/android10.0, 11.0, 9.0+2

🔴Vulnerability Details

GHSA

GHSA-36m5-2rw3-hr39: An improper caller check logic of SMC call in TEEGRIS secure OS prior to SMR Oct-2021 Release 1 can be used to compromise TEE↗2022-05-24

▶

CVEList

CVE-2021-25470: An improper caller check logic of SMC call in TEEGRIS secure OS prior to SMR Oct-2021 Release 1 can be used to compromise TEE↗2021-10-06

▶