CVE-2025-62818

| EUVD-2025-209268 CRITICAL
2026-04-07 mitre GHSA-6279-562x-78g7
9.8
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Apr 07, 2026 - 15:00 euvd
EUVD-2025-209268
Analysis Generated
Apr 07, 2026 - 15:00 vuln.today
CVE Published
Apr 07, 2026 - 00:00 nvd
CRITICAL 9.8

Tags

Memory Corruption Buffer Overflow Samsung N A

Description

An issue was discovered in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, 2500, 9110, W920, W930, W1000, Modem 5123, Modem 5300, and Modem 5400. An out-of-bounds write occurs due to a mismatch between the TP-UDHI and UDL values when processing an SMS TP-UD packet.

Analysis

Out-of-bounds write in Samsung Exynos chipsets (processors 980/990/850/1080/2100/1280/2200/1330/1380/1480/2400/1580/2500/9110, wearables W920/W930/W1000, modems 5123/5300/5400) allows unauthenticated remote attackers to achieve arbitrary code execution via malformed SMS TP-UD packets. Exploitation occurs through TP-UDHI/UDL value mismatch during SMS message parsing, enabling network-level attacks without user interaction. No public exploit identified at time of analysis.

Technical Context

Buffer overflow (CWE-787) in SMS Transfer Protocol User Data (TP-UD) parser. Mismatch between User Data Header Indicator (TP-UDHI) flag and User Data Length (UDL) field triggers memory corruption during baseband modem processing. Attack surface exposed through standard cellular SMS delivery mechanisms requiring no physical device access.

Affected Products

Samsung Exynos processors 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, 2500, 9110; Wearable processors W920, W930, W1000; Modems 5123, 5300, 5400. All versions affected per vendor disclosure.

Remediation

Vendor-released security update available through Samsung Semiconductor product security updates portal. Device manufacturers using affected Exynos chipsets must integrate Samsung's firmware patches into end-user device updates. End users should apply latest security patches from device OEMs (smartphone/wearable manufacturers). No user-side workaround exists as vulnerability resides in baseband firmware. Organizations should monitor device manufacturer security bulletins for deployment timelines. Complete vendor advisory at https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-62818/ and general update portal at https://semiconductor.samsung.com/support/quality-support/product-security-updates/. EPSS indicates low observed exploitation activity.

Priority Score

49
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +49
POC: 0

Share

CVE-2025-62818 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy