Multiple vulnerabilities in Samsung Mobile Firmware



| Updated: 2024-06-07
Risk Critical
Patch available YES
Number of vulnerabilities 81
CVE-ID CVE-2022-48454
CVE-2024-0018
CVE-2024-0015
CVE-2023-21245
CVE-2023-32818
CVE-2022-48456
CVE-2022-48461
CVE-2022-48455
CVE-2022-48459
CVE-2024-0019
CVE-2022-48458
CVE-2022-48457
CVE-2023-45779
CVE-2023-33087
CVE-2023-33053
CVE-2023-33063
CVE-2023-33106
CVE-2023-33107
CVE-2024-0023
CVE-2024-0021
CVE-2023-33079
CVE-2023-32843
CVE-2024-20803
CVE-2024-20804
CVE-2024-20805
CVE-2024-20802
CVE-2024-20806
CVE-2023-5129
CVE-2023-4863
CVE-2023-32845
CVE-2023-32841
CVE-2023-35671
CVE-2023-32846
CVE-2023-32844
CVE-2023-32842
CVE-2023-40120
CVE-2023-21266
CVE-2024-0020
CVE-2024-0017
CVE-2024-0016
CVE-2023-33092
CVE-2023-33097
CVE-2022-40507
CVE-2023-21164
CVE-2023-35690
CVE-2023-21263
CVE-2023-21402
CVE-2023-21401
CVE-2023-21217
CVE-2023-21162
CVE-2023-21163
CVE-2023-21166
CVE-2023-32847
CVE-2023-21218
CVE-2023-21216
CVE-2023-21228
CVE-2023-21227
CVE-2023-21215
CVE-2023-3889
CVE-2023-32804
CVE-2023-4272
CVE-2023-21403
CVE-2023-32848
CVE-2023-33080
CVE-2023-33054
CVE-2023-33088
CVE-2023-33098
CVE-2023-33089
CVE-2023-33081
CVE-2023-33018
CVE-2023-28551
CVE-2023-28550
CVE-2023-33022
CVE-2023-32851
CVE-2023-28586
CVE-2023-28585
CVE-2023-28546
CVE-2023-33017
CVE-2023-21662
CVE-2023-21664
CVE-2023-21652
CVE-2022-22076
CWE-ID CWE-120
CWE-20
CWE-697
CWE-119
CWE-121
CWE-732
CWE-200
CWE-129
CWE-416
CWE-823
CWE-190
CWE-617
CWE-287
CWE-22
CWE-284
CWE-122
CWE-126
CWE-415
CWE-787
CWE-476
CWE-131
CWE-320
CWE-310
Exploitation vector Network
Public exploit Public exploit code for vulnerability #3 is available.
Public exploit code for vulnerability #13 is available.
Vulnerability #16 is being exploited in the wild.
Vulnerability #17 is being exploited in the wild.
Vulnerability #18 is being exploited in the wild.
Vulnerability #28 is being exploited in the wild.
Public exploit code for vulnerability #31 is available.
Vulnerable software
Samsung Mobile Firmware
Mobile applications / Mobile firmware & hardware

Vendor Samsung

Security Bulletin

This security bulletin contains information about 81 vulnerabilities.

1) Buffer overflow

EUVDB-ID: #VU83759

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-48454

CWE-ID: CWE-120 - Buffer overflow

Exploit availability: No

Description

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to a possible out of bounds write due to a missing bounds check within the wifi service in Android. A local application can execute arbitrary code.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Samsung Mobile Firmware: before SMR-JAN-2024

CPE2.3 External links

http://security.samsungmobile.com/securityUpdate.smsb?year=2024&month=01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Improper input validation

EUVDB-ID: #VU84957

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-0018

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation within the Media Codecs component. A local application can execute arbitrary code.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Samsung Mobile Firmware: before SMR-JAN-2024

CPE2.3 External links

http://security.samsungmobile.com/securityUpdate.smsb?year=2024&month=01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Improper input validation

EUVDB-ID: #VU84956

Risk: Low

CVSSv3.1: 7 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2024-0015

CWE-ID: CWE-20 - Improper input validation

Exploit availability: Yes

Description

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation within the Framework component. A local application can execute arbitrary code.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Samsung Mobile Firmware: before SMR-JAN-2024

CPE2.3 External links

http://security.samsungmobile.com/securityUpdate.smsb?year=2024&month=01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

4) Improper input validation

EUVDB-ID: #VU77973

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-21245

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation within the Framework component. A local application can execute arbitrary code.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Samsung Mobile Firmware: before SMR-JAN-2024

CPE2.3 External links

http://security.samsungmobile.com/securityUpdate.smsb?year=2024&month=01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Incorrect Comparison

EUVDB-ID: #VU82803

Risk: Low

CVSSv3.1: 5.8 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-32818

CWE-ID: CWE-697 - Incorrect Comparison

Exploit availability: No

Description

The vulnerability allows a local privileged application to execute arbitrary code.

The vulnerability exists due to type confusion within vdec. A local privileged application can execute arbitrary code.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Samsung Mobile Firmware: before SMR-JAN-2024

CPE2.3 External links

http://security.samsungmobile.com/securityUpdate.smsb?year=2024&month=01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Memory corruption

EUVDB-ID: #VU83761

Risk: Low

CVSSv3.1: 6.4 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-48456

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to a possible out of bounds write due to a incorrect bounds check within the camera driver in Kernel. A local application can execute arbitrary code.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Samsung Mobile Firmware: before SMR-JAN-2024

CPE2.3 External links

http://security.samsungmobile.com/securityUpdate.smsb?year=2024&month=01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Stack-based buffer overflow

EUVDB-ID: #VU83765

Risk: Low

CVSSv3.1: 6.4 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-48461

CWE-ID: CWE-121 - Stack-based buffer overflow

Exploit availability: No

Description

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to a possible out of bounds write due to a missing bounds check within the sensor driver in Kernel. A local application can execute arbitrary code.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Samsung Mobile Firmware: before SMR-JAN-2024

CPE2.3 External links

http://security.samsungmobile.com/securityUpdate.smsb?year=2024&month=01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Buffer overflow

EUVDB-ID: #VU83760

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-48455

CWE-ID: CWE-120 - Buffer overflow

Exploit availability: No

Description

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to a possible out of bounds write due to a missing bounds check within the wifi service in Android. A local application can execute arbitrary code.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Samsung Mobile Firmware: before SMR-JAN-2024

CPE2.3 External links

http://security.samsungmobile.com/securityUpdate.smsb?year=2024&month=01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Incorrect Permission Assignment for Critical Resource

EUVDB-ID: #VU83764

Risk: Low

CVSSv3.1: 5.7 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-48459

CWE-ID: CWE-732 - Incorrect Permission Assignment for Critical Resource

Exploit availability: No

Description

The vulnerability allows a local application to crash the entire system.

The vulnerability exists due to a possible system crash due to improper input validation within the TeleService in Android. A local application can crash the entire system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Samsung Mobile Firmware: before SMR-JAN-2024

CPE2.3 External links

http://security.samsungmobile.com/securityUpdate.smsb?year=2024&month=01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) Information exposure

EUVDB-ID: #VU84959

Risk: Low

CVSSv3.1: 2.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-0019

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a local application to gain access to sensitive information.

The vulnerability exists due to improper input validation within the Framework component. A local application can gain access to sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Samsung Mobile Firmware: before SMR-JAN-2024

CPE2.3 External links

http://security.samsungmobile.com/securityUpdate.smsb?year=2024&month=01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

11) Incorrect Permission Assignment for Critical Resource

EUVDB-ID: #VU83763

Risk: Low

CVSSv3.1: 5.7 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-48458

CWE-ID: CWE-732 - Incorrect Permission Assignment for Critical Resource

Exploit availability: No

Description

The vulnerability allows a local application to crash the entire system.

The vulnerability exists due to a possible system crash due to improper input validation within the TeleService in Android. A local application can crash the entire system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Samsung Mobile Firmware: before SMR-JAN-2024

CPE2.3 External links

http://security.samsungmobile.com/securityUpdate.smsb?year=2024&month=01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

12) Incorrect Permission Assignment for Critical Resource

EUVDB-ID: #VU83762

Risk: Low

CVSSv3.1: 5.7 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-48457

CWE-ID: CWE-732 - Incorrect Permission Assignment for Critical Resource

Exploit availability: No

Description

The vulnerability allows a local application to crash the entire system.

The vulnerability exists due to a possible system crash due to improper input validation within the TeleService in Android. A local application can crash the entire system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Samsung Mobile Firmware: before SMR-JAN-2024

CPE2.3 External links

http://security.samsungmobile.com/securityUpdate.smsb?year=2024&month=01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

13) Input validation error

EUVDB-ID: #VU83848

Risk: Low

CVSSv3.1: 7 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2023-45779

CWE-ID: CWE-20 - Improper input validation

Exploit availability: Yes

Description

The vulnerability allows a local application to escalate privileges on the system.

The vulnerability exists due to insufficient validation of user-supplied input within the System UI in Misc OEM components. A local application can execute arbitrary code with elevated privileges.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Samsung Mobile Firmware: before SMR-JAN-2024

CPE2.3 External links

http://security.samsungmobile.com/securityUpdate.smsb?year=2024&month=01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

14) Buffer overflow

EUVDB-ID: #VU83670

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-33087

CWE-ID: CWE-120 - Buffer overflow

Exploit availability: No

Description

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation in Core. A local application can execute arbitrary code.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Samsung Mobile Firmware: before SMR-JAN-2024

CPE2.3 External links

http://security.samsungmobile.com/securityUpdate.smsb?year=2024&month=01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

15) Improper Validation of Array Index

EUVDB-ID: #VU83666

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-33053

CWE-ID: CWE-129 - Improper Validation of Array Index

Exploit availability: No

Description

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation in Kernel. A local application can execute arbitrary code.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Samsung Mobile Firmware: before SMR-JAN-2024

CPE2.3 External links

http://security.samsungmobile.com/securityUpdate.smsb?year=2024&month=01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

16) Use-after-free

EUVDB-ID: #VU81473

Risk: High

CVSSv3.1: 7.5 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C]

CVE-ID: CVE-2023-33063

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error during a remote call from HLOS to DSP. A local user can trigger a use-after-free error and execute arbitrary code with elevated privileges.

Note, the vulnerability is being actively exploited in the wild.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Samsung Mobile Firmware: before SMR-JAN-2024

CPE2.3 External links

http://security.samsungmobile.com/securityUpdate.smsb?year=2024&month=01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.

17) Use of Out-of-range Pointer Offset

EUVDB-ID: #VU81471

Risk: High

CVSSv3.1: 8.4 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C]

CVE-ID: CVE-2023-33106

CWE-ID: CWE-823 - Use of Out-of-range Pointer Offset

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a boundary error while submitting a large list of sync points in an AUX command to the IOCTL_KGSL_GPU_AUX_COMMAND. A local user can trigger memory corruption and execute arbitrary code with elevated privileges.

Note, the vulnerability is being actively exploited in the wild.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Samsung Mobile Firmware: before SMR-JAN-2024

CPE2.3 External links

http://security.samsungmobile.com/securityUpdate.smsb?year=2024&month=01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.

18) Integer overflow

EUVDB-ID: #VU81472

Risk: High

CVSSv3.1: 8.4 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C]

CVE-ID: CVE-2023-33107

CWE-ID: CWE-190 - Integer overflow

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to integer overflow while assigning shared virtual memory region during IOCTL call. A local user can trigger an integer overflow and execute arbitrary code with elevated privileges.

Note, the vulnerability is being actively exploited in the wild.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Samsung Mobile Firmware: before SMR-JAN-2024

CPE2.3 External links

http://security.samsungmobile.com/securityUpdate.smsb?year=2024&month=01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.

19) Improper input validation

EUVDB-ID: #VU84958

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-0023

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation within the Framework component. A local application can execute arbitrary code.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Samsung Mobile Firmware: before SMR-JAN-2024

CPE2.3 External links

http://security.samsungmobile.com/securityUpdate.smsb?year=2024&month=01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

20) Improper input validation

EUVDB-ID: #VU84960

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-0021

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation within the System component. A local application can execute arbitrary code.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Samsung Mobile Firmware: before SMR-JAN-2024

CPE2.3 External links

http://security.samsungmobile.com/securityUpdate.smsb?year=2024&month=01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

21) Use of Out-of-range Pointer Offset

EUVDB-ID: #VU83669

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-33079

CWE-ID: CWE-823 - Use of Out-of-range Pointer Offset

Exploit availability: No

Description

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation in Audio. A local application can execute arbitrary code.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Samsung Mobile Firmware: before SMR-JAN-2024

CPE2.3 External links

http://security.samsungmobile.com/securityUpdate.smsb?year=2024&month=01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

22) Reachable Assertion

EUVDB-ID: #VU83815

Risk: Low

CVSSv3.1: 2.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-32843

CWE-ID: CWE-617 - Reachable Assertion

Exploit availability: No

Description

The vulnerability allows a local application to perform service disruption.

The vulnerability exists due to improper error handling within 5G Modem. A local application can perform service disruption.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Samsung Mobile Firmware: before SMR-JAN-2024

CPE2.3 External links

http://security.samsungmobile.com/securityUpdate.smsb?year=2024&month=01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

23) Improper Authentication

EUVDB-ID: #VU85081

Risk: Medium

CVSSv3.1: 4 [CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-20803

CWE-ID: CWE-287 - Improper Authentication

Exploit availability: No

Description

The vulnerability allows an attacker to bypass authentication process.

The vulnerability exists due to an error in Bluetooth pairing process. An attacker with physical proximity to device can establish pairing process without user interaction.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Samsung Mobile Firmware: before SMR-JAN-2024

CPE2.3 External links

http://security.samsungmobile.com/securityUpdate.smsb?year=2024&month=01


Q & A

Can this vulnerability be exploited remotely?

No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

24) Path traversal

EUVDB-ID: #VU85080

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-20804

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Exploit availability: No

Description

The vulnerability allows a remote attacker to overwrite arbitrary files on the system.

The vulnerability exists due to input validation error when processing directory traversal sequences in FileUriConverter of MyFiles. A remote attacker can trick the victim to open a specially crafted archive and overwrite arbitrary files on the system.

Successful exploitation of the vulnerability may allow an attacker to compromise the affected system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Samsung Mobile Firmware: before SMR-JAN-2024

CPE2.3 External links

http://security.samsungmobile.com/securityUpdate.smsb?year=2024&month=01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

25) Path traversal

EUVDB-ID: #VU85079

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-20805

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Exploit availability: No

Description

The vulnerability allows a remote attacker to overwrite arbitrary files on the system.

The vulnerability exists due to input validation error when processing directory traversal sequences in ZipCompressor of MyFiles. A remote attacker can trick the victim to open a specially crafted archive and overwrite arbitrary files on the system.

Successful exploitation of the vulnerability may allow an attacker to compromise the affected system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Samsung Mobile Firmware: before SMR-JAN-2024

CPE2.3 External links

http://security.samsungmobile.com/securityUpdate.smsb?year=2024&month=01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

26) Improper access control

EUVDB-ID: #VU85078

Risk: Low

CVSSv3.1: 2.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-20802

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a local application to gain access to sensitive information.

The vulnerability exists due to improper access restrictions in Samsung DeX. A local application can gain unauthorized access to potentially sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Samsung Mobile Firmware: before SMR-JAN-2024

CPE2.3 External links

http://security.samsungmobile.com/securityUpdate.smsb?year=2024&month=01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

27) Improper access control

EUVDB-ID: #VU85077

Risk: Low

CVSSv3.1: 2.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-20806

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a local application to gain access to sensitive information.

The vulnerability exists due to improper access restrictions in Notification service. A local application can gain unauthorized access to potentially sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Samsung Mobile Firmware: before SMR-JAN-2024

CPE2.3 External links

http://security.samsungmobile.com/securityUpdate.smsb?year=2024&month=01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

28) Heap-based buffer overflow

EUVDB-ID: #VU80637

Risk: Critical

CVSSv3.1: 8.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C]

CVE-ID: CVE-2023-5129,CVE-2023-4863

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing WebP images within libwebp library. A remote attacker can trick the victim to visit a malicious website, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system. The vulnerability affects all modern browsers that support WebP image processing.

Note, the vulnerability is being actively exploited in the wild.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Samsung Mobile Firmware: before SMR-JAN-2024

CPE2.3 External links

http://security.samsungmobile.com/securityUpdate.smsb?year=2024&month=01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.

29) Reachable Assertion

EUVDB-ID: #VU83817

Risk: Low

CVSSv3.1: 2.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-32845

CWE-ID: CWE-617 - Reachable Assertion

Exploit availability: No

Description

The vulnerability allows a local application to perform service disruption.

The vulnerability exists due to improper error handling within 5G Modem. A local application can perform service disruption.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Samsung Mobile Firmware: before SMR-JAN-2024

CPE2.3 External links

http://security.samsungmobile.com/securityUpdate.smsb?year=2024&month=01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

30) Reachable Assertion

EUVDB-ID: #VU83813

Risk: Low

CVSSv3.1: 2.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-32841

CWE-ID: CWE-617 - Reachable Assertion

Exploit availability: No

Description

The vulnerability allows a local application to perform service disruption.

The vulnerability exists due to improper error handling within 5G Modem. A local application can perform service disruption.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Samsung Mobile Firmware: before SMR-JAN-2024

CPE2.3 External links

http://security.samsungmobile.com/securityUpdate.smsb?year=2024&month=01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

31) Information exposure

EUVDB-ID: #VU80458

Risk: Low

CVSSv3.1: 3 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C]

CVE-ID: CVE-2023-35671

CWE-ID: CWE-200 - Information exposure

Exploit availability: Yes

Description

The vulnerability allows a local application to gain access to sensitive information.

The vulnerability exists due to improper input validation within the System component. A local application can gain access to sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Samsung Mobile Firmware: before SMR-JAN-2024

CPE2.3 External links

http://security.samsungmobile.com/securityUpdate.smsb?year=2024&month=01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

32) Reachable Assertion

EUVDB-ID: #VU83818

Risk: Low

CVSSv3.1: 2.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-32846

CWE-ID: CWE-617 - Reachable Assertion

Exploit availability: No

Description

The vulnerability allows a local application to perform service disruption.

The vulnerability exists due to improper error handling within 5G Modem. A local application can perform service disruption.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Samsung Mobile Firmware: before SMR-JAN-2024

CPE2.3 External links

http://security.samsungmobile.com/securityUpdate.smsb?year=2024&month=01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

33) Reachable Assertion

EUVDB-ID: #VU83816

Risk: Low

CVSSv3.1: 2.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-32844

CWE-ID: CWE-617 - Reachable Assertion

Exploit availability: No

Description

The vulnerability allows a local application to perform service disruption.

The vulnerability exists due to improper error handling within 5G Modem. A local application can perform service disruption.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Samsung Mobile Firmware: before SMR-JAN-2024

CPE2.3 External links

http://security.samsungmobile.com/securityUpdate.smsb?year=2024&month=01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

34) Reachable Assertion

EUVDB-ID: #VU83814

Risk: Low

CVSSv3.1: 2.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-32842

CWE-ID: CWE-617 - Reachable Assertion

Exploit availability: No

Description

The vulnerability allows a local application to perform service disruption.

The vulnerability exists due to improper error handling within 5G Modem. A local application can perform service disruption.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Samsung Mobile Firmware: before SMR-JAN-2024

CPE2.3 External links

http://security.samsungmobile.com/securityUpdate.smsb?year=2024&month=01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

35) Improper input validation

EUVDB-ID: #VU81383

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-40120

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation within the Framework component. A local application can execute arbitrary code.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Samsung Mobile Firmware: before SMR-JAN-2024

CPE2.3 External links

http://security.samsungmobile.com/securityUpdate.smsb?year=2024&month=01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

36) Improper input validation

EUVDB-ID: #VU81381

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-21266

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation within the Framework component. A local application can execute arbitrary code.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Samsung Mobile Firmware: before SMR-JAN-2024

CPE2.3 External links

http://security.samsungmobile.com/securityUpdate.smsb?year=2024&month=01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

37) Information exposure

EUVDB-ID: #VU84964

Risk: Low

CVSSv3.1: 2.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-0020

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a local application to gain access to sensitive information.

The vulnerability exists due to improper input validation within the System component. A local application can gain access to sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Samsung Mobile Firmware: before SMR-JAN-2024

CPE2.3 External links

http://security.samsungmobile.com/securityUpdate.smsb?year=2024&month=01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

38) Information exposure

EUVDB-ID: #VU84963

Risk: Low

CVSSv3.1: 2.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-0017

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a local application to gain access to sensitive information.

The vulnerability exists due to improper input validation within the System component. A local application can gain access to sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Samsung Mobile Firmware: before SMR-JAN-2024

CPE2.3 External links

http://security.samsungmobile.com/securityUpdate.smsb?year=2024&month=01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

39) Information exposure

EUVDB-ID: #VU84962

Risk: Low

CVSSv3.1: 2.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-0016

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a local application to gain access to sensitive information.

The vulnerability exists due to improper input validation within the System component. A local application can gain access to sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Samsung Mobile Firmware: before SMR-JAN-2024

CPE2.3 External links

http://security.samsungmobile.com/securityUpdate.smsb?year=2024&month=01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

40) Buffer overflow

EUVDB-ID: #VU83671

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-33092

CWE-ID: CWE-120 - Buffer overflow

Exploit availability: No

Description

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation in Bluetooth HOST. A local application can execute arbitrary code.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Samsung Mobile Firmware: before SMR-JAN-2024

CPE2.3 External links

http://security.samsungmobile.com/securityUpdate.smsb?year=2024&month=01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

41) Buffer over-read

EUVDB-ID: #VU83660

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-33097

CWE-ID: CWE-126 - Buffer over-read

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation in WLAN Firmware. A remote attacker can perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Samsung Mobile Firmware: before SMR-JAN-2024

CPE2.3 External links

http://security.samsungmobile.com/securityUpdate.smsb?year=2024&month=01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

42) Double Free

EUVDB-ID: #VU76853

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-40507

CWE-ID: CWE-415 - Double Free

Exploit availability: No

Description

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation in Core. A local application can execute arbitrary code.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Samsung Mobile Firmware: before SMR-JAN-2024

CPE2.3 External links

http://security.samsungmobile.com/securityUpdate.smsb?year=2024&month=01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

43) Input validation error

EUVDB-ID: #VU83838

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-21164

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a local application to escalate privileges on the system.

The vulnerability exists due to insufficient validation of user-supplied input in PowerVR-GPU. A local application can execute arbitrary code with elevated privileges.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Samsung Mobile Firmware: before SMR-JAN-2024

CPE2.3 External links

http://security.samsungmobile.com/securityUpdate.smsb?year=2024&month=01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

44) Input validation error

EUVDB-ID: #VU83846

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-35690

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a local application to escalate privileges on the system.

The vulnerability exists due to insufficient validation of user-supplied input in PowerVR-GPU. A local application can execute arbitrary code with elevated privileges.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Samsung Mobile Firmware: before SMR-JAN-2024

CPE2.3 External links

http://security.samsungmobile.com/securityUpdate.smsb?year=2024&month=01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

45) Input validation error

EUVDB-ID: #VU83281

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-21263

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to an unspecified vulnerability in Linux kernel. A local user can execute arbitrary code with elevated privileges.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Samsung Mobile Firmware: before SMR-JAN-2024

CPE2.3 External links

http://security.samsungmobile.com/securityUpdate.smsb?year=2024&month=01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

46) Input validation error

EUVDB-ID: #VU83844

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-21402

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a local application to escalate privileges on the system.

The vulnerability exists due to insufficient validation of user-supplied input in PowerVR-GPU. A local application can execute arbitrary code with elevated privileges.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Samsung Mobile Firmware: before SMR-JAN-2024

CPE2.3 External links

http://security.samsungmobile.com/securityUpdate.smsb?year=2024&month=01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

47) Input validation error

EUVDB-ID: #VU83280

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-21401

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to an unspecified vulnerability in Linux kernel. A local user can execute arbitrary code with elevated privileges.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Samsung Mobile Firmware: before SMR-JAN-2024

CPE2.3 External links

http://security.samsungmobile.com/securityUpdate.smsb?year=2024&month=01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

48) Input validation error

EUVDB-ID: #VU83841

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-21217

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a local application to escalate privileges on the system.

The vulnerability exists due to insufficient validation of user-supplied input in PowerVR-GPU. A local application can execute arbitrary code with elevated privileges.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Samsung Mobile Firmware: before SMR-JAN-2024

CPE2.3 External links

http://security.samsungmobile.com/securityUpdate.smsb?year=2024&month=01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

49) Input validation error

EUVDB-ID: #VU83836

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-21162

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a local application to escalate privileges on the system.

The vulnerability exists due to insufficient validation of user-supplied input in PowerVR-GPU. A local application can execute arbitrary code with elevated privileges.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Samsung Mobile Firmware: before SMR-JAN-2024

CPE2.3 External links

http://security.samsungmobile.com/securityUpdate.smsb?year=2024&month=01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

50) Input validation error

EUVDB-ID: #VU83837

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-21163

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a local application to escalate privileges on the system.

The vulnerability exists due to insufficient validation of user-supplied input in PowerVR-GPU. A local application can execute arbitrary code with elevated privileges.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Samsung Mobile Firmware: before SMR-JAN-2024

CPE2.3 External links

http://security.samsungmobile.com/securityUpdate.smsb?year=2024&month=01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

51) Input validation error

EUVDB-ID: #VU83839

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-21166

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a local application to escalate privileges on the system.

The vulnerability exists due to insufficient validation of user-supplied input in PowerVR-GPU. A local application can execute arbitrary code with elevated privileges.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Samsung Mobile Firmware: before SMR-JAN-2024

CPE2.3 External links

http://security.samsungmobile.com/securityUpdate.smsb?year=2024&month=01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

52) Out-of-bounds write

EUVDB-ID: #VU83801

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-32847

CWE-ID: CWE-787 - Out-of-bounds write

Exploit availability: No

Description

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to a missing bounds check within audio. A local application can execute arbitrary code.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Samsung Mobile Firmware: before SMR-JAN-2024

CPE2.3 External links

http://security.samsungmobile.com/securityUpdate.smsb?year=2024&month=01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

53) Input validation error

EUVDB-ID: #VU83842

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-21218

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a local application to escalate privileges on the system.

The vulnerability exists due to insufficient validation of user-supplied input in PowerVR-GPU. A local application can execute arbitrary code with elevated privileges.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Samsung Mobile Firmware: before SMR-JAN-2024

CPE2.3 External links

http://security.samsungmobile.com/securityUpdate.smsb?year=2024&month=01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

54) Use-after-free

EUVDB-ID: #VU83282

Risk: Low

CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-21216

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to a use-after-free error in PowerVR GPU driver. A local user can trigger a use-after-free error and perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Samsung Mobile Firmware: before SMR-JAN-2024

CPE2.3 External links

http://security.samsungmobile.com/securityUpdate.smsb?year=2024&month=01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

55) Input validation error

EUVDB-ID: #VU83843

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-21228

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a local application to escalate privileges on the system.

The vulnerability exists due to insufficient validation of user-supplied input in PowerVR-GPU. A local application can execute arbitrary code with elevated privileges.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Samsung Mobile Firmware: before SMR-JAN-2024

CPE2.3 External links

http://security.samsungmobile.com/securityUpdate.smsb?year=2024&month=01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

56) Input validation error

EUVDB-ID: #VU83847

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-21227

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a local application to escalate privileges on the system.

The vulnerability exists due to insufficient validation of user-supplied input in PowerVR-GPU. A local application can execute arbitrary code with elevated privileges.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Samsung Mobile Firmware: before SMR-JAN-2024

CPE2.3 External links

http://security.samsungmobile.com/securityUpdate.smsb?year=2024&month=01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

57) Input validation error

EUVDB-ID: #VU83840

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-21215

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a local application to escalate privileges on the system.

The vulnerability exists due to insufficient validation of user-supplied input in PowerVR-GPU. A local application can execute arbitrary code with elevated privileges.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Samsung Mobile Firmware: before SMR-JAN-2024

CPE2.3 External links

http://security.samsungmobile.com/securityUpdate.smsb?year=2024&month=01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

58) Use-after-free

EUVDB-ID: #VU83835

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-3889

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error caused by improper GPU memory processing operations. A local user can trigger a use-after-free error and execute arbitrary code on the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Samsung Mobile Firmware: before SMR-JAN-2024

CPE2.3 External links

http://security.samsungmobile.com/securityUpdate.smsb?year=2024&month=01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

59) Buffer overflow

EUVDB-ID: #VU80048

Risk: Low

CVSSv3.1: 7.7 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-32804

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a local application to escalate privileges on the system.

The vulnerability exists due to a boundary error in Mali GPU Userspace Driver. A local application can trigger memory corruption and execute arbitrary code with elevated privileges.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Samsung Mobile Firmware: before SMR-JAN-2024

CPE2.3 External links

http://security.samsungmobile.com/securityUpdate.smsb?year=2024&month=01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

60) Use-after-free

EUVDB-ID: #VU83834

Risk: Low

CVSSv3.1: 5.7 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-4272

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error. A local user can gain access to sensitive kernel data.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Samsung Mobile Firmware: before SMR-JAN-2024

CPE2.3 External links

http://security.samsungmobile.com/securityUpdate.smsb?year=2024&month=01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

61) Input validation error

EUVDB-ID: #VU83845

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-21403

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a local application to escalate privileges on the system.

The vulnerability exists due to insufficient validation of user-supplied input in PowerVR-GPU. A local application can execute arbitrary code with elevated privileges.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Samsung Mobile Firmware: before SMR-JAN-2024

CPE2.3 External links

http://security.samsungmobile.com/securityUpdate.smsb?year=2024&month=01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

62) Incorrect Comparison

EUVDB-ID: #VU83802

Risk: Low

CVSSv3.1: 5.8 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-32848

CWE-ID: CWE-697 - Incorrect Comparison

Exploit availability: No

Description

The vulnerability allows a local privileged application to execute arbitrary code.

The vulnerability exists due to type confusion within vdec. A local privileged application can execute arbitrary code.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Samsung Mobile Firmware: before SMR-JAN-2024

CPE2.3 External links

http://security.samsungmobile.com/securityUpdate.smsb?year=2024&month=01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

63) Buffer over-read

EUVDB-ID: #VU83656

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-33080

CWE-ID: CWE-126 - Buffer over-read

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation in WLAN Firmware. A remote attacker can perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Samsung Mobile Firmware: before SMR-JAN-2024

CPE2.3 External links

http://security.samsungmobile.com/securityUpdate.smsb?year=2024&month=01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

64) Improper Authentication

EUVDB-ID: #VU83655

Risk: High

CVSSv3.1: 7.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-33054

CWE-ID: CWE-287 - Improper Authentication

Exploit availability: No

Description

The vulnerability allows a remote attacker to read and manipulate data.

The vulnerability exists due to improper input validation in GPS HLOS Driver. A remote attacker can read and manipulate data.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Samsung Mobile Firmware: before SMR-JAN-2024

CPE2.3 External links

http://security.samsungmobile.com/securityUpdate.smsb?year=2024&month=01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

65) NULL Pointer Dereference

EUVDB-ID: #VU83658

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-33088

CWE-ID: CWE-476 - NULL Pointer Dereference

Exploit availability: No

Description

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation in WLAN Firmware. A local application can execute arbitrary code.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Samsung Mobile Firmware: before SMR-JAN-2024

CPE2.3 External links

http://security.samsungmobile.com/securityUpdate.smsb?year=2024&month=01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

66) Buffer over-read

EUVDB-ID: #VU83661

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-33098

CWE-ID: CWE-126 - Buffer over-read

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation in WLAN Firmware. A remote attacker can perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Samsung Mobile Firmware: before SMR-JAN-2024

CPE2.3 External links

http://security.samsungmobile.com/securityUpdate.smsb?year=2024&month=01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

67) NULL Pointer Dereference

EUVDB-ID: #VU83659

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-33089

CWE-ID: CWE-476 - NULL Pointer Dereference

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation in WLAN Firmware. A remote attacker can perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Samsung Mobile Firmware: before SMR-JAN-2024

CPE2.3 External links

http://security.samsungmobile.com/securityUpdate.smsb?year=2024&month=01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

68) Buffer over-read

EUVDB-ID: #VU83657

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-33081

CWE-ID: CWE-126 - Buffer over-read

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation in WLAN Firmware. A remote attacker can perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Samsung Mobile Firmware: before SMR-JAN-2024

CPE2.3 External links

http://security.samsungmobile.com/securityUpdate.smsb?year=2024&month=01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

69) Integer overflow

EUVDB-ID: #VU83650

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-33018

CWE-ID: CWE-190 - Integer overflow

Exploit availability: No

Description

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation in User Identity Module. A local application can execute arbitrary code.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Samsung Mobile Firmware: before SMR-JAN-2024

CPE2.3 External links

http://security.samsungmobile.com/securityUpdate.smsb?year=2024&month=01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

70) Memory corruption

EUVDB-ID: #VU83645

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-28551

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation in UTILS. A local application can execute arbitrary code.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Samsung Mobile Firmware: before SMR-JAN-2024

CPE2.3 External links

http://security.samsungmobile.com/securityUpdate.smsb?year=2024&month=01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

71) Memory corruption

EUVDB-ID: #VU83644

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-28550

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation in MPP Performance. A local application can execute arbitrary code.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Samsung Mobile Firmware: before SMR-JAN-2024

CPE2.3 External links

http://security.samsungmobile.com/securityUpdate.smsb?year=2024&month=01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

72) Integer overflow

EUVDB-ID: #VU83651

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-33022

CWE-ID: CWE-190 - Integer overflow

Exploit availability: No

Description

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation in HLOS. A local application can execute arbitrary code.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Samsung Mobile Firmware: before SMR-JAN-2024

CPE2.3 External links

http://security.samsungmobile.com/securityUpdate.smsb?year=2024&month=01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

73) Incorrect Calculation of Buffer Size

EUVDB-ID: #VU83804

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-32851

CWE-ID: CWE-131 - Incorrect Calculation of Buffer Size

Exploit availability: No

Description

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to a missing bounds check within decoder. A local application can execute arbitrary code.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Samsung Mobile Firmware: before SMR-JAN-2024

CPE2.3 External links

http://security.samsungmobile.com/securityUpdate.smsb?year=2024&month=01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

74) Memory corruption

EUVDB-ID: #VU83647

Risk: Low

CVSSv3.1: 5.2 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-28586

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a local privileged application to gain access to sensitive information.

The vulnerability exists due to improper input validation in TZ Secure OS. A local privileged application can gain access to sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Samsung Mobile Firmware: before SMR-JAN-2024

CPE2.3 External links

http://security.samsungmobile.com/securityUpdate.smsb?year=2024&month=01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

75) Integer overflow

EUVDB-ID: #VU83646

Risk: Low

CVSSv3.1: 7.1 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-28585

CWE-ID: CWE-190 - Integer overflow

Exploit availability: No

Description

The vulnerability allows a local privileged application to execute arbitrary code.

The vulnerability exists due to improper input validation in TZ Secure OS. A local privileged application can execute arbitrary code.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Samsung Mobile Firmware: before SMR-JAN-2024

CPE2.3 External links

http://security.samsungmobile.com/securityUpdate.smsb?year=2024&month=01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

76) Buffer overflow

EUVDB-ID: #VU83643

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-28546

CWE-ID: CWE-120 - Buffer overflow

Exploit availability: No

Description

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation in SPS Applications. A local application can execute arbitrary code.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Samsung Mobile Firmware: before SMR-JAN-2024

CPE2.3 External links

http://security.samsungmobile.com/securityUpdate.smsb?year=2024&month=01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

77) Buffer overflow

EUVDB-ID: #VU83649

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-33017

CWE-ID: CWE-120 - Buffer overflow

Exploit availability: No

Description

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation in Boot. A local application can execute arbitrary code.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Samsung Mobile Firmware: before SMR-JAN-2024

CPE2.3 External links

http://security.samsungmobile.com/securityUpdate.smsb?year=2024&month=01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

78) Buffer overflow

EUVDB-ID: #VU80362

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-21662

CWE-ID: CWE-120 - Buffer overflow

Exploit availability: No

Description

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation in Core Platform. A local application can execute arbitrary code.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Samsung Mobile Firmware: before SMR-JAN-2024

CPE2.3 External links

http://security.samsungmobile.com/securityUpdate.smsb?year=2024&month=01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

79) Buffer overflow

EUVDB-ID: #VU80363

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-21664

CWE-ID: CWE-120 - Buffer overflow

Exploit availability: No

Description

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation in Core Platform. A local application can execute arbitrary code.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Samsung Mobile Firmware: before SMR-JAN-2024

CPE2.3 External links

http://security.samsungmobile.com/securityUpdate.smsb?year=2024&month=01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

80) Key Management Errors

EUVDB-ID: #VU79028

Risk: Low

CVSSv3.1: 6.2 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-21652

CWE-ID: CWE-320 - Key Management Errors

Exploit availability: No

Description

The vulnerability allows a local application to read and manipulate data.

The vulnerability exists due to improper input validation in HLOS. A local application can read and manipulate data.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Samsung Mobile Firmware: before SMR-JAN-2024

CPE2.3 External links

http://security.samsungmobile.com/securityUpdate.smsb?year=2024&month=01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

81) Cryptographic Issues

EUVDB-ID: #VU76858

Risk: Low

CVSSv3.1: 5.7 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-22076

CWE-ID: CWE-310 - Cryptographic Issues

Exploit availability: No

Description

The vulnerability allows a local application to gain access to sensitive information.

The vulnerability exists due to improper input validation in Core. A local application can gain access to sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Samsung Mobile Firmware: before SMR-JAN-2024

CPE2.3 External links

http://security.samsungmobile.com/securityUpdate.smsb?year=2024&month=01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###