⚠ Actively exploited

Added to CISA KEV on 2023-06-29. Federal agencies required to patch by 2023-07-20. Required action: Apply updates per vendor instructions or discontinue use of the product if updates are unavailable.

CVE-2021-25489 — Improper Input Validation in Mobile Devices

CWE-20 — Improper Input Validation CWE-134 — Use of Externally-Controlled Format String5 documents5 sources

Severity

5.5MEDIUMNVD

CNA3.3VulnCheck3.3

EPSS

0.4%

top 41.57%

CISA KEV

KEV

Added 2023-06-29

Due 2023-07-20

Exploit

Exploited in wild

Active exploitation observed

Affected products

Samsung Mobile Devices Samsung Android

Timeline

PublishedOct 6

KEV addedJun 29

KEV dueJul 20

CISA Required Action: Apply updates per vendor instructions or discontinue use of the product if updates are unavailable

Description

Assuming radio permission is gained, missing input validation in modem interface driver prior to SMR Oct-2021 Release 1 results in format string bug leading to kernel panic.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages2 packages

▶CVEListV5samsung_mobile/samsung_mobile_devicesO(8.1), P(9.0), Q(10.0), R(11.0) — SMR Oct-2021 Release 1

▶NVDsamsung/android4 versions+3

🔴Vulnerability Details

GHSA

GHSA-hmpv-pvg5-4fpq: Assuming radio permission is gained, missing input validation in modem interface driver prior to SMR Oct-2021 Release 1 results in format string bug l↗2022-05-24

▶

CVEList

CVE-2021-25489: Assuming radio permission is gained, missing input validation in modem interface driver prior to SMR Oct-2021 Release 1 results in format string bug l↗2021-10-06

▶

VulnCheck

Samsung Mobile Devices Improper Input Validation Vulnerability↗2021

▶

📋Vendor Advisories

CISA

Samsung Mobile Devices Improper Input Validation Vulnerability↗2023-06-29

▶