(CVE-2025-23107) Samsung Exynos NPU Driver Out-of-Bounds Write via Undersized User Buffer
CVE: CVE-2025-23107
Affected Versions: Samsung Galaxy S24+ (samsung/e2sxxx/e2s:14/UP1A.231005.007/S926BXXS3AXGD:user/release-keys); Samsung Exynos 1480, 2400
CVSS3.1: 7.8 (High) — CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
| Product | Samsung Exynos NPU Driver |
|---|---|
| Vendor | Samsung |
| Severity | High — a local attacker within untrusted_app SELinux context may exploit this to achieve local privilege escalation |
| Affected Versions | Samsung Galaxy S24+ (Android 14); Exynos 1480, 2400 |
| Tested Versions | Samsung Galaxy S24+ (S926BXXS3AXGD) |
| CVE Identifier | CVE-2025-23107 |
| CVE Description | A missing length check in the Samsung Exynos NPU driver leads to out-of-bounds writes, exploitable for local privilege escalation |
| CWE Classification(s) | CWE-787: Out-of-Bounds Write |
CVSS3.1 Scoring System
Base Score: 7.8 (High)
Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
| Metric | Value |
|---|---|
| Attack Vector (AV) | Local |
| Attack Complexity (AC) | Low |
| Privileges Required (PR) | Low |
| User Interaction (UI) | None |
| Scope (S) | Unchanged |
| Confidentiality (C) | High |
| Integrity (I) | High |
| Availability (A) | High |
Product Background
The Samsung Galaxy S24+ features a Neural Processing Unit (NPU) integrated into either the Snapdragon 8 Gen 3 or Exynos 2400 chipset depending on the market. The NPU accelerates on-device AI workloads including camera processing, real-time translation, and generative photo editing. The NPU kernel driver manages session state, memory allocation, and queue management on behalf of userspace applications.
Technical Details
In fill_vs4l_buffer, it didn’t check if user provided array of buffer in container is smaller than the actual size of buffer in queue_list.
static void fill_vs4l_buffer(struct npu_queue_list *queue_list, struct vs4l_container_list *c, bool fill)
{
/* sync buffers */
for (i = 0; i < queue_list->count; ++i) {
container = &queue_list->containers[i];
k = container->count;
for (j = 0; j < k; ++j)
c->containers[i].buffers[j].reserved = container->buffers[j].reserved;
}
If c->count is smaller than queue->list->count, or c->containers[i].count is smaller than queue_list->containers[i].count it will leads to ARB write or OOB write.
Credit
Billy Jheng Bing-Jhong, Muhammad Alifa Ramdhan and Pan Zhenpeng of STAR Labs SG Pte. Ltd.
Timeline
- 2024-12-08 — Reported to Samsung
- 2025-06-01 — CVE-2025-23107 assigned and published; patch released via Samsung Product Security Update