EUVD-2025-209249
GHSA-q6xr-vv6x-m5gj
CVSS VectorNVD
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionNVD
An issue was discovered in the Wi-Fi driver in Samsung Mobile Processor amd Wearable Processor Exynos 980, 850, 1080, 1280, 1330, 1380, 1480, 1580, W920, W930, and W1000. Improper synchronization on a global variable leads to a double free. An attacker can trigger a race condition by invoking an ioctl function concurrently from multiple threads.
AnalysisAI
Race condition in Samsung Exynos Wi-Fi drivers enables local privilege escalation to kernel execution via double-free memory corruption. Affects 11 mobile and wearable processors (Exynos 980, 850, 1080, 1280, 1330, 1380, 1480, 1580, W920, W930, W1000). Local attackers with low privileges can trigger memory corruption by racing ioctl calls across threads, achieving high confidentiality, integrity, and availability impact. EPSS score of 0.02% (5th percentile) suggests minimal real-world exploitation likelihood despite CVSS 7.0 severity. No public exploit identified at time of analysis.
Technical ContextAI
This vulnerability stems from CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization) in the Wi-Fi kernel driver implementation for Samsung Exynos chipsets. The driver improperly manages concurrent access to a global variable when handling ioctl system calls, creating a time-of-check-to-time-of-use (TOCTOU) race window. When multiple threads invoke the vulnerable ioctl function simultaneously, the unsynchronized state can cause the same memory region to be freed twice (double-free condition). Double-free vulnerabilities in kernel space are particularly severe as they corrupt kernel heap metadata, potentially allowing attackers to manipulate memory allocators and achieve arbitrary code execution at ring-0 privilege level. The affected processors span Samsung's mobile (Exynos 980/1080/1280/1330/1380/1480/1580) and wearable (W920/W930/W1000) product lines, plus the cost-optimized 850 chipset, indicating widespread deployment in Android smartphones, tablets, and Galaxy Watch devices.
RemediationAI
Samsung has acknowledged the vulnerability through their semiconductor security portal and published advisory documentation at https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-54601/. Device manufacturers (OEMs) using affected Exynos chipsets should monitor Samsung's security bulletin for firmware updates containing synchronized ioctl handling in the Wi-Fi driver. End users should apply security patches distributed through Android security updates as they become available from device manufacturers. Organizations managing Samsung-powered mobile fleets should prioritize patching for devices with elevated exposure to untrusted applications or physical access scenarios. No workarounds were identified in available advisories. Until patches deploy, defense-in-depth measures include restricting installation of untrusted applications via mobile device management policies and enabling Android's verified boot to detect kernel tampering attempts.
More from same product – last 7 days
Out-of-bounds write in Samsung's Escargot JavaScript engine allows attacker-supplied scripts to corrupt memory through t
VM escape in Kata Containers allows any Kubernetes user with pod-creation rights to break out of the VM sandbox and gain
In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Fix watch_id bounds checking in debug a
In the Linux kernel, the following vulnerability has been resolved: drm/exynos: vidi: use priv->vidi_dev for ctx lookup
In the Linux kernel, the following vulnerability has been resolved: drm/exynos: vidi: fix to avoid directly dereferenci
Share
External POC / Exploit Code
Leaving vuln.today