CVE-2023-26496
published 2023-03-23CVE-2023-26496: An issue was discovered in Samsung Baseband Modem Chipset for Exynos Modem 5123, Exynos Modem 5300, Exynos 980, Exynos 1080, and Exynos Auto T5124. Memory…
PriorityP357critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
24.08%
97.6th percentile
An issue was discovered in Samsung Baseband Modem Chipset for Exynos Modem 5123, Exynos Modem 5300, Exynos 980, Exynos 1080, and Exynos Auto T5124. Memory corruption can occur due to improper checking of the parameter length while parsing the fmtp attribute in the SDP (Session Description Protocol) module.
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-pqvr-f3f6-cc4q: An issue was discovered in Samsung Baseband Modem Chipset for Exynos Modem 5123, Exynos Modem 5300, Exynos 980, Exynos 1080, and Exynos Auto T5124
ghsa_unreviewed·2023-03-23
CVE-2023-26496 [CRITICAL] CWE-787 GHSA-pqvr-f3f6-cc4q: An issue was discovered in Samsung Baseband Modem Chipset for Exynos Modem 5123, Exynos Modem 5300, Exynos 980, Exynos 1080, and Exynos Auto T5124
An issue was discovered in Samsung Baseband Modem Chipset for Exynos Modem 5123, Exynos Modem 5300, Exynos 980, Exynos 1080, and Exynos Auto T5124. Memory corruption can occur due to improper checking of the parameter length while parsing the fmtp attribute in the SDP (Session Description Protocol) module.
Project0
Multiple Internet to Baseband Remote Code Execution Vulnerabilities in Exynos Modems - Project Zero
project_zero·2023-03-01·CVSS 7.5
CVE-2023-24033 [HIGH] Multiple Internet to Baseband Remote Code Execution Vulnerabilities in Exynos Modems - Project Zero
Posted by Tim Willis, Project Zero
In late 2022 and early 2023, Project Zero reported eighteen 0-day vulnerabilities in Exynos Modems produced by Samsung Semiconductor. The four most severe of these eighteen vulnerabilities (CVE-2023-24033, CVE-2023-26496, CVE-2023-26497 and CVE-2023-26498) allowed for Internet-to-baseband remote code execution. Tests conducted by Project Zero confirm that those four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level with no user interaction, and require only that the attacker know the victim's phone number. With limited additional research and development, we believe that skilled attackers would be able to quickly create an operational exploit to compromise affected devices silently and remotely.
The fourteen
OSV
CVE-2023-26496: In TBD of TBD, there is a possible out of bounds write due to a heap buffer overflow
osv·2023-03-01
CVE-2023-26496 CVE-2023-26496: In TBD of TBD, there is a possible out of bounds write due to a heap buffer overflow
In TBD of TBD, there is a possible out of bounds write due to a heap buffer overflow. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.
No detection rules found.
No public exploits indexed.
https://semiconductor.samsung.com/processor/mobile-processor/https://semiconductor.samsung.com/processor/modem/https://semiconductor.samsung.com/support/quality-support/product-security-updates/https://semiconductor.samsung.com/processor/mobile-processor/https://semiconductor.samsung.com/processor/modem/https://semiconductor.samsung.com/support/quality-support/product-security-updates/
2023-03-23
Published