What is the CVSS score of CVE-2025-62818?

CVE-2025-62818 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of Samsung are affected by CVE-2025-62818?

CVE-2025-62818 is a critical remote code execution vulnerability affecting Samsung Exynos chipsets used in Galaxy smartphones, tablets, wearables, and modems that allows unauthenticated attackers to…

How to fix or mitigate CVE-2025-62818?

Within 24 hours: Inventory all Samsung Galaxy devices (phones, tablets, wearables) and Exynos-based modems in your environment; notify device users and disable SMS functionality where operationally feasible pending guidance. Within 7 days: Monitor Samsung security bulletins and CISA advisories for patch availability and scope clarification across specific Exynos variants; assess impact on critical business functions dependent on Samsung devices. Within 30 days: Apply vendor-released patches to all affected devices immediately upon availability; for unpatched devices, enforce network segmentation or device retirement if Samsung releases no timeline for remediation.

Samsung CVE-2025-62818

EUVD-2025-209268 CRITICAL

Out-of-bounds Write (CWE-787)

2026-04-07 mitre

GHSA-6279-562x-78g7

Buffer Overflow Memory Corruption Samsung

9.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

EUVD ID Assigned

Apr 07, 2026 - 15:00 euvd

EUVD-2025-209268

Analysis Generated

Apr 07, 2026 - 15:00 vuln.today

CVE Published

Apr 07, 2026 - 00:00 nvd

CRITICAL 9.8

DescriptionNVD

An issue was discovered in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, 2500, 9110, W920, W930, W1000, Modem 5123, Modem 5300, and Modem 5400. An out-of-bounds write occurs due to a mismatch between the TP-UDHI and UDL values when processing an SMS TP-UD packet.

AnalysisAI

Out-of-bounds write in Samsung Exynos chipsets (processors 980/990/850/1080/2100/1280/2200/1330/1380/1480/2400/1580/2500/9110, wearables W920/W930/W1000, modems 5123/5300/5400) allows unauthenticated remote attackers to achieve arbitrary code execution via malformed SMS TP-UD packets. Exploitation occurs through TP-UDHI/UDL value mismatch during SMS message parsing, enabling network-level attacks without user interaction. No public exploit identified at time of analysis.

Technical ContextAI

Buffer overflow (CWE-787) in SMS Transfer Protocol User Data (TP-UD) parser. Mismatch between User Data Header Indicator (TP-UDHI) flag and User Data Length (UDL) field triggers memory corruption during baseband modem processing. Attack surface exposed through standard cellular SMS delivery mechanisms requiring no physical device access.

RemediationAI

Vendor-released security update available through Samsung Semiconductor product security updates portal. Device manufacturers using affected Exynos chipsets must integrate Samsung's firmware patches into end-user device updates. End users should apply latest security patches from device OEMs (smartphone/wearable manufacturers). No user-side workaround exists as vulnerability resides in baseband firmware. Organizations should monitor device manufacturer security bulletins for deployment timelines. Complete vendor advisory at https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-62818/ and general update portal at https://semiconductor.samsung.com/support/quality-support/product-security-updates/. EPSS indicates low observed exploitation activity.