Heap Overwrite Vulnerability in Samsung Mobile Processors
CVE-2024-27374

6.7MEDIUM

Key Information:

Vendor: Samsung
Status: Exynos 980 Firmware
Vendor: CVE Published:; 5 June 2024

What is CVE-2024-27374?

A security vulnerability has been identified in several models of Samsung's Exynos mobile processors, specifically in the function slsi_nan_publish_get_nl_params(). The flaw arises from the absence of input validation checks for hal_req->service_specific_info_len when data is received from userspace. This oversight can potentially lead to a heap overwrite, allowing malicious actors to exploit the vulnerability to compromise the integrity of the system and execute arbitrary code, posing a risk to user data and device functionality.

References

https://semiconductor.samsung.com/support/quality-support...

CVSS V3.1

Score:

6.7

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 5, 2024