CVE-2025-23103

| EUVD-2025-16752 HIGH
2025-06-03 [email protected]
8.6
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
Low

Lifecycle Timeline

3
EUVD ID Assigned
Mar 14, 2026 - 17:04 euvd
EUVD-2025-16752
Analysis Generated
Mar 14, 2026 - 17:04 vuln.today
CVE Published
Jun 03, 2025 - 16:15 nvd
HIGH 8.6

Tags

Buffer Overflow Samsung Exynos 2400 Firmware Exynos 1480 Firmware

Description

An issue was discovered in Samsung Mobile Processor Exynos 1480 and 2400. The lack of a length check leads to out-of-bounds writes.

Analysis

CVE-2025-23103 is an out-of-bounds write vulnerability in Samsung's Exynos 1480 and 2400 mobile processors caused by insufficient length validation, allowing remote unauthenticated attackers to achieve high confidentiality impact with medium integrity and availability impact. The vulnerability has a CVSS score of 8.6 with low attack complexity and no privilege requirements, making it a significant risk to Samsung Galaxy devices using these processors; exploitation status and active use in the wild have not been confirmed at this time.

Technical Context

The vulnerability exists in Samsung Mobile Processor Exynos 1480 and 2400 SoCs (System-on-Chip), which are primary processors used in Samsung Galaxy flagship and mid-range devices. The root cause is classified as CWE-787 (Out-of-bounds Write), indicating that code processing network input or other external data fails to validate buffer length before writing, allowing attackers to overflow heap or stack memory. The Exynos processors handle low-level hardware operations, cryptographic functions, and secure enclave processing; a flaw at this level can compromise the entire device security model. The lack of length checking suggests the vulnerability exists in firmware or bootloader code responsible for parsing or processing protocol messages, likely in network stack handling or secure communication channels.

Affected Products

Samsung Mobile Processor Exynos 1480 and Samsung Mobile Processor Exynos 2400. These processors are integrated into Samsung Galaxy S-series, Galaxy A-series, and Galaxy Tab devices manufactured from approximately 2023 onwards. Specific affected device models include but are not limited to: Galaxy S24, S24+, S24 Ultra (Exynos 2400), Galaxy S23 FE, Galaxy A54, and mid-to-premium range tablets. CPE representation would be: cpe:2.3:h:samsung:exynos_1480:*:*:*:*:*:*:*:* and cpe:2.3:h:samsung:exynos_2400:*:*:*:*:*:*:*:*. All devices using these SoCs in any region are affected regardless of firmware version until patching.

Remediation

Samsung must release firmware/bootloader patches addressing the length validation flaw in affected Exynos processors. Users should: (1) Apply all available Samsung security updates immediately upon release, prioritizing devices with Exynos 1480/2400; (2) Monitor Samsung Security Advisory pages for firmware patches specific to CVE-2025-23103; (3) Avoid untrusted networks and disable unnecessary network services pending patches; (4) Enable all available security features (Knox, SELinux enforcement); (5) Consider network segmentation for critical Samsung devices. Vendor mitigation may include disabling vulnerable firmware code paths if identified. Samsung should release coordinated security advisories with clear device model mapping and patch timeline. Patch availability dates and version numbers should be published immediately to samsung.com/security.

Priority Score

43
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +43
POC: 0

Share

CVE-2025-23103 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy