(CVE-2025-23100) Samsung Exynos NPU Driver Null Pointer Dereference Leading to Denial of Service
CVE: CVE-2025-23100
Affected Versions: Samsung Galaxy S24+ (samsung/e2sxxx/e2s:16/BP2A.250605.031.A3/S926BXXU9CYI5:user/release-keys); Samsung Exynos 1280, 2200, 1380, 1480, 2400
CVSS3.1: 5.5 (Medium) — CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
| Product | Samsung Exynos NPU Driver |
|---|---|
| Vendor | Samsung |
| Severity | Medium — a local attacker within untrusted_app SELinux context may exploit this to cause denial of service |
| Affected Versions | Samsung Galaxy S24+ (Android 16); Exynos 1280, 2200, 1380, 1480, 2400 |
| Tested Versions | Samsung Galaxy S24+ (S926BXXU9CYI5) |
| CVE Identifier | CVE-2025-23100 |
| CVE Description | The absence of a null check in the Samsung Exynos NPU driver leads to a denial of service |
| CWE Classification(s) | CWE-476: NULL Pointer Dereference |
CVSS3.1 Scoring System
Base Score: 5.5 (Medium)
Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
| Metric | Value |
|---|---|
| Attack Vector (AV) | Local |
| Attack Complexity (AC) | Low |
| Privileges Required (PR) | Low |
| User Interaction (UI) | None |
| Scope (S) | Unchanged |
| Confidentiality (C) | None |
| Integrity (I) | None |
| Availability (A) | High |
Product Background
The Samsung Galaxy S24+ features a Neural Processing Unit (NPU) integrated into either the Snapdragon 8 Gen 3 or Exynos 2400 chipset depending on the market. The NPU accelerates on-device AI workloads including camera processing, real-time translation, and generative photo editing. The NPU kernel driver is a privileged component that manages session state, memory allocation, and inference buffer management on behalf of userspace applications.
Technical Details
In __prepare_IMB_info, it will assign IMB_info to session->IMB_info. If session->IMB_size is quite big, it will goto p_err and return to __config_session_info
int __config_session_info(struct npu_session *session)
{
IMB_mem_buf = kcalloc(1, sizeof(struct npu_memory_buffer), GFP_KERNEL);
...
ret = __prepare_IMB_info(session, &IMB_av, IMB_mem_buf);
...
}
int __prepare_IMB_info(struct npu_session *session, struct addr_info **IMB_av, struct npu_memory_buffer *IMB_mem_buf)
{
...
session->IMB_mem_buf = IMB_mem_buf;
if (session->IMB_size > (NPU_IMB_CHUNK_SIZE * NPU_IMB_CHUNK_MAX_NUM)) {
...
goto p_err;
}
p_err:
...
return ret;
}
Then it will be freed first at [1] but did not set NULL:
int __config_session_info(struct npu_session *session)
{
//...
IMB_av = kcalloc(session->IMB_cnt, sizeof(struct addr_info), GFP_KERNEL);
// ...
ret = __prepare_IMB_info(session, IMB_av, IMB_mem_buf);
if (unlikely(ret)) {
npu_uerr("IMB: fail(%d) in __prepare_IMB_info\n", session, ret);
goto p_err;
}
p_err:
...
if (likely(IMB_av))
kfree(IMB_av); // [1]
return ret;
And later it will be freed again at _undo_s_graph_each_state:
int _undo_s_graph_each_state(struct npu_session *session)
{
imb_ion_unmap:
addr_info = session->IMB_info;
session->IMB_info = NULL;
if (likely(addr_info))
kfree(addr_info);
__release_imb_mem_buf(session);
Credit
Billy Jheng Bing-Jhong, Muhammad Alifa Ramdhan and Pan Zhenpeng of STAR Labs SG Pte. Ltd.
Timeline
- 2024-12-08 — Reported to Samsung
- 2025-06-01 — CVE-2025-23100 assigned and published; patch released via Samsung Product Security Update