Samsung Mobile Devices vulnerabilities

CVE-2021-25396 [MEDIUM] CWE-787 CVE-2021-25396: An improper input validation vulnerability in NPU firmware prior to SMR MAY-2021 Release 1 allows ar An improper input validation vulnerability in NPU firmware prior to SMR MAY-2021 Release 1 allows arbitrary memory write and code execution.

CVE-2021-25394 [MEDIUM] CWE-416 CVE-2021-25394: A use after free vulnerability via race condition in MFC charger driver prior to SMR MAY-2021 Releas A use after free vulnerability via race condition in MFC charger driver prior to SMR MAY-2021 Release 1 allows arbitrary write given a radio privilege is compromised.

CVE-2021-25389 [MEDIUM] CWE-287 CVE-2021-25389: Improper running task check in S Secure prior to SMR MAY-2021 Release 1 allows attackers to use lock Improper running task check in S Secure prior to SMR MAY-2021 Release 1 allows attackers to use locked app without authentication.

CVE-2021-25395 [MEDIUM] CWE-362 CVE-2021-25395: A race condition in MFC charger driver prior to SMR MAY-2021 Release 1 allows local attackers to byp A race condition in MFC charger driver prior to SMR MAY-2021 Release 1 allows local attackers to bypass signature check given a radio privilege is compromised.

CVE-2021-25392 [MEDIUM] CWE-200 CVE-2021-25392: Improper protection of backup path configuration in Samsung Dex prior to SMR MAY-2021 Release 1 allo Improper protection of backup path configuration in Samsung Dex prior to SMR MAY-2021 Release 1 allows local attackers to get sensitive information via changing the path.

CVE-2021-25411 [MEDIUM] CWE-94 CVE-2021-25411: Improper address validation vulnerability in RKP api prior to SMR JUN-2021 Release 1 allows root pri Improper address validation vulnerability in RKP api prior to SMR JUN-2021 Release 1 allows root privileged local attackers to write read-only kernel memory.

CVE-2021-25413 [MEDIUM] CWE-20 CVE-2021-25413: Improper sanitization of incoming intent in Samsung Contacts prior to SMR JUN-2021 Release 1 allows Improper sanitization of incoming intent in Samsung Contacts prior to SMR JUN-2021 Release 1 allows local attackers to get permissions to access arbitrary data with Samsung Contacts privilege.

CVE-2021-25397 [MEDIUM] CWE-926 CVE-2021-25397: An improper access control vulnerability in TelephonyUI prior to SMR MAY-2021 Release 1 allows local An improper access control vulnerability in TelephonyUI prior to SMR MAY-2021 Release 1 allows local attackers to write arbitrary files of telephony process via untrusted applications.

CVE-2021-25409 [LOW] CWE-703 CVE-2021-25409: Improper access in Notification setting prior to SMR JUN-2021 Release 1 allows physically proximate Improper access in Notification setting prior to SMR JUN-2021 Release 1 allows physically proximate attackers to set arbitrary notification via physically configuring device.

CVE-2021-25382 [MEDIUM] CWE-285 CVE-2021-25382: An improper authorization of using debugging command in Secure Folder prior to SMR Oct-2020 Release An improper authorization of using debugging command in Secure Folder prior to SMR Oct-2020 Release 1 allows unauthorized access to contents in Secure Folder via debugging command.

CVE-2021-25360 [CRITICAL] CWE-122 CVE-2021-25360: An improper input validation vulnerability in libswmfextractor library prior to SMR APR-2021 Release An improper input validation vulnerability in libswmfextractor library prior to SMR APR-2021 Release 1 allows attackers to execute arbitrary code on mediaextractor process.

CVE-2021-25361 [HIGH] CWE-22 CVE-2021-25361: An improper access control vulnerability in stickerCenter prior to SMR APR-2021 Release 1 allows loc An improper access control vulnerability in stickerCenter prior to SMR APR-2021 Release 1 allows local attackers to read or write arbitrary files of system process via untrusted applications.

CVE-2021-25356 [HIGH] CWE-20 CVE-2021-25356: An improper caller check vulnerability in Managed Provisioning prior to SMR APR-2021 Release 1 allow An improper caller check vulnerability in Managed Provisioning prior to SMR APR-2021 Release 1 allows unprivileged application to install arbitrary application, grant device admin permission and then delete several installed application.

CVE-2021-25365 [HIGH] CWE-269 CVE-2021-25365: An improper exception control in softsimd prior to SMR APR-2021 Release 1 allows unprivileged applic An improper exception control in softsimd prior to SMR APR-2021 Release 1 allows unprivileged applications to access the API in softsimd.

CVE-2021-25362 [MEDIUM] CWE-269 CVE-2021-25362: An improper permission management in CertInstaller prior to SMR APR-2021 Release 1 allows untrusted An improper permission management in CertInstaller prior to SMR APR-2021 Release 1 allows untrusted applications to delete certain local files.

CVE-2021-25363 [MEDIUM] CWE-269 CVE-2021-25363: An improper access control in ActivityManagerService prior to SMR APR-2021 Release 1 allows untruste An improper access control in ActivityManagerService prior to SMR APR-2021 Release 1 allows untrusted applications to access running processesdelete some local files.

CVE-2021-25357 [MEDIUM] CWE-200 CVE-2021-25357: A pendingIntent hijacking vulnerability in Create Movie prior to SMR APR-2021 Release 1 in Android O A pendingIntent hijacking vulnerability in Create Movie prior to SMR APR-2021 Release 1 in Android O(8.x) and P(9.0), 3.4.81.1 in Android Q(10,0), and 3.6.80.7 in Android R(11.0) allows unprivileged applications to access contact information.

CVE-2021-25364 [LOW] CWE-200 CVE-2021-25364: A pendingIntent hijacking vulnerability in Secure Folder prior to SMR APR-2021 Release 1 allows unpr A pendingIntent hijacking vulnerability in Secure Folder prior to SMR APR-2021 Release 1 allows unprivileged applications to access contact information.

CVE-2021-25358 [LOW] CWE-256 CVE-2021-25358: A vulnerability that stores IMSI values in an improper path prior to SMR APR-2021 Release 1 allows l A vulnerability that stores IMSI values in an improper path prior to SMR APR-2021 Release 1 allows local attackers to access IMSI values without any permission via untrusted applications.

CVE-2021-25359 [LOW] CWE-284 CVE-2021-25359: An improper SELinux policy prior to SMR APR-2021 Release 1 allows local attackers to access AP infor An improper SELinux policy prior to SMR APR-2021 Release 1 allows local attackers to access AP information without proper permissions via untrusted applications.