Multiple vulnerabilities in Samsung Mobile Firmware

1) Improper input validation

EUVDB-ID: #VU76957

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-21121

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation within the System component. A local application can execute arbitrary code.

Install update from vendor's website.

Samsung Mobile Firmware: before SMR-JUN-2023

http://security.samsungmobile.com/securityUpdate.smsb?year=2023&month=06

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Improper input validation

EUVDB-ID: #VU76945

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-21126

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation within the Framework component. A local application can execute arbitrary code.

Install update from vendor's website.

Samsung Mobile Firmware: before SMR-JUN-2023

http://security.samsungmobile.com/securityUpdate.smsb?year=2023&month=06

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Improper input validation

EUVDB-ID: #VU76946

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-21128

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation within the Framework component. A local application can execute arbitrary code.

Install update from vendor's website.

Samsung Mobile Firmware: before SMR-JUN-2023

http://security.samsungmobile.com/securityUpdate.smsb?year=2023&month=06

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Improper input validation

EUVDB-ID: #VU76947

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-21129

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation within the Framework component. A local application can execute arbitrary code.

Install update from vendor's website.

Samsung Mobile Firmware: before SMR-JUN-2023

http://security.samsungmobile.com/securityUpdate.smsb?year=2023&month=06

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Improper input validation

EUVDB-ID: #VU76948

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-21131

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation within the Framework component. A local application can execute arbitrary code.

Install update from vendor's website.

Samsung Mobile Firmware: before SMR-JUN-2023

http://security.samsungmobile.com/securityUpdate.smsb?year=2023&month=06

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Improper input validation

EUVDB-ID: #VU76949

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-21139

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation within the Framework component. A local application can execute arbitrary code.

Install update from vendor's website.

Samsung Mobile Firmware: before SMR-JUN-2023

http://security.samsungmobile.com/securityUpdate.smsb?year=2023&month=06

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Information exposure

EUVDB-ID: #VU76950

Risk: Low

CVSSv3.1: 2.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-21105

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

The vulnerability allows a local application to gain access to sensitive information.

The vulnerability exists due to improper input validation within the Framework component. A local application can gain access to sensitive information.

Install update from vendor's website.

Samsung Mobile Firmware: before SMR-JUN-2023

http://security.samsungmobile.com/securityUpdate.smsb?year=2023&month=06

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Improper input validation

EUVDB-ID: #VU76951

Risk: Low

CVSSv3.1: 2.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-21136

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

The vulnerability allows a local application to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Framework component. A local application can perform a denial of service (DoS) attack.

Install update from vendor's website.

Samsung Mobile Firmware: before SMR-JUN-2023

http://security.samsungmobile.com/securityUpdate.smsb?year=2023&month=06

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Improper input validation

EUVDB-ID: #VU76952

Risk: Low

CVSSv3.1: 2.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-21137

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

The vulnerability allows a local application to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Framework component. A local application can perform a denial of service (DoS) attack.

Install update from vendor's website.

Samsung Mobile Firmware: before SMR-JUN-2023

http://security.samsungmobile.com/securityUpdate.smsb?year=2023&month=06

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) Improper input validation

EUVDB-ID: #VU76953

Risk: Low

CVSSv3.1: 2.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-21143

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

The vulnerability allows a local application to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Framework component. A local application can perform a denial of service (DoS) attack.

Install update from vendor's website.

Samsung Mobile Firmware: before SMR-JUN-2023

http://security.samsungmobile.com/securityUpdate.smsb?year=2023&month=06

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

11) Improper input validation

EUVDB-ID: #VU76956

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-21115

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation within the System component. A local application can execute arbitrary code.

Install update from vendor's website.

Samsung Mobile Firmware: before SMR-JUN-2023

http://security.samsungmobile.com/securityUpdate.smsb?year=2023&month=06

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

12) Improper input validation

EUVDB-ID: #VU76958

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-21122

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation within the System component. A local application can execute arbitrary code.

Install update from vendor's website.

Samsung Mobile Firmware: before SMR-JUN-2023

http://security.samsungmobile.com/securityUpdate.smsb?year=2023&month=06

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

13) Memory corruption

EUVDB-ID: #VU75873

Risk: Low

CVSSv3.1: 6.2 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-47488

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

The vulnerability allows a local application to damange or delete data.

The vulnerability exists due to a possible out of bounds write due to a missing bounds check within the spipe drive in Kernel. A local application can damange or delete data.

Install update from vendor's website.

Samsung Mobile Firmware: before SMR-JUN-2023

http://security.samsungmobile.com/securityUpdate.smsb?year=2023&month=06

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

14) Improper input validation

EUVDB-ID: #VU76959

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-21123

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation within the System component. A local application can execute arbitrary code.

Install update from vendor's website.

Samsung Mobile Firmware: before SMR-JUN-2023

http://security.samsungmobile.com/securityUpdate.smsb?year=2023&month=06

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

15) Improper input validation

EUVDB-ID: #VU76960

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-21124

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation within the System component. A local application can execute arbitrary code.

Install update from vendor's website.

Samsung Mobile Firmware: before SMR-JUN-2023

http://security.samsungmobile.com/securityUpdate.smsb?year=2023&month=06

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

16) Improper input validation

EUVDB-ID: #VU76961

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-21135

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation within the System component. A local application can execute arbitrary code.

Install update from vendor's website.

Samsung Mobile Firmware: before SMR-JUN-2023

http://security.samsungmobile.com/securityUpdate.smsb?year=2023&month=06

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

17) Improper input validation

EUVDB-ID: #VU76962

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-21138

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation within the System component. A local application can execute arbitrary code.

Install update from vendor's website.

Samsung Mobile Firmware: before SMR-JUN-2023

http://security.samsungmobile.com/securityUpdate.smsb?year=2023&month=06

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

18) Information exposure

EUVDB-ID: #VU76963

Risk: Low

CVSSv3.1: 2.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-21095

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

The vulnerability allows a local application to gain access to sensitive information.

The vulnerability exists due to improper input validation within the System component. A local application can gain access to sensitive information.

Install update from vendor's website.

Samsung Mobile Firmware: before SMR-JUN-2023

http://security.samsungmobile.com/securityUpdate.smsb?year=2023&month=06

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

19) Information exposure

EUVDB-ID: #VU76964

Risk: Low

CVSSv3.1: 2.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-21141

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

The vulnerability allows a local application to gain access to sensitive information.

The vulnerability exists due to improper input validation within the System component. A local application can gain access to sensitive information.

Install update from vendor's website.

Samsung Mobile Firmware: before SMR-JUN-2023

http://security.samsungmobile.com/securityUpdate.smsb?year=2023&month=06

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

20) Information exposure

EUVDB-ID: #VU76965

Risk: Low

CVSSv3.1: 2.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-21142

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

The vulnerability allows a local application to gain access to sensitive information.

The vulnerability exists due to improper input validation within the System component. A local application can gain access to sensitive information.

Install update from vendor's website.

Samsung Mobile Firmware: before SMR-JUN-2023

http://security.samsungmobile.com/securityUpdate.smsb?year=2023&month=06

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

21) Improper input validation

EUVDB-ID: #VU76966

Risk: Low

CVSSv3.1: 2.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-21144

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

The vulnerability allows a local application to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the System component. A local application can perform a denial of service (DoS) attack.

Install update from vendor's website.

Samsung Mobile Firmware: before SMR-JUN-2023

http://security.samsungmobile.com/securityUpdate.smsb?year=2023&month=06

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

22) Improper Privilege Management

EUVDB-ID: #VU76975

Risk: Low

CVSSv3.1: 5.3 [CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-21513

CWE-ID: CWE-269 - Improper Privilege Management

Exploit availability: No

The vulnerability allows an attacker to escalate privileges on the device.

The vulnerability exists due to improper privilege management in CC Mode. An attacker with physical access to device can escalate privileges.

Install update from vendor's website.

Samsung Mobile Firmware: before SMR-JUN-2023

http://security.samsungmobile.com/securityUpdate.smsb?year=2023&month=06

Q & A

Can this vulnerability be exploited remotely?

No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

23) Out-of-bounds write

EUVDB-ID: #VU76976

Risk: Low

CVSSv3.1: 5.9 [CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-21517

CWE-ID: CWE-787 - Out-of-bounds write

Exploit availability: No

The vulnerability allows an attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing untrusted input in Exynos baseband. A remote attacker with physical proximity to device can trigger an out-of-bounds write and execute arbitrary code on the target device.

Install update from vendor's website.

Samsung Mobile Firmware: before SMR-JUN-2023

http://security.samsungmobile.com/securityUpdate.smsb?year=2023&month=06

Q & A

Can this vulnerability be exploited remotely?

No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

24) Improper access control

EUVDB-ID: #VU76977

Risk: Low

CVSSv3.1: 2.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-21512

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

The vulnerability allows a malicious application to gain access to sensitive information.

The vulnerability exists due to improper Knox ID validation logic in notification framework. A malicious application can read work profile notifications without proper access permission.

Install update from vendor's website.

Samsung Mobile Firmware: before SMR-JUN-2023

http://security.samsungmobile.com/securityUpdate.smsb?year=2023&month=06

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

25) Use-after-free

EUVDB-ID: #VU71482

Risk: High

CVSSv3.1: 8.4 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C]

CVE-ID: CVE-2023-0266

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error within the snd_ctl_elem_read() function in the Linux kernel sound subsystem. A local user can trigger a use-after-free error and execute arbitrary code on the system.

Note, the vulnerability is being actively exploited in the wild.

Install update from vendor's website.

Samsung Mobile Firmware: before SMR-JUN-2023

http://security.samsungmobile.com/securityUpdate.smsb?year=2023&month=06

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.

26) Stack-based buffer overflow

EUVDB-ID: #VU75871

Risk: Low

CVSSv3.1: 6.3 [CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-47486

CWE-ID: CWE-121 - Stack-based buffer overflow

Exploit availability: No

The vulnerability allows a local privileged application to compromise the affected device.

The vulnerability exists due to a possible out of bounds read due to a missing bounds check within the ext4fsfilter driver in Kernel. A local privileged application can compromise the affected device.

Install update from vendor's website.

Samsung Mobile Firmware: before SMR-JUN-2023

http://security.samsungmobile.com/securityUpdate.smsb?year=2023&month=06

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

27) Improper input validation

EUVDB-ID: #VU76944

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-21127

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to improper input validation within the Framework component. A remote attacker can trick the victim to open a specially crafted file and execute arbitrary code.

Install update from vendor's website.

Samsung Mobile Firmware: before SMR-JUN-2023

http://security.samsungmobile.com/securityUpdate.smsb?year=2023&month=06

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

28) Improper input validation

EUVDB-ID: #VU75748

Risk: Low

CVSSv3.1: 2 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-20698

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

The vulnerability allows a local privileged application to gain access to sensitive information.

The vulnerability exists due to a missing bounds check within keyinstall. A local privileged application can gain access to sensitive information.

Install update from vendor's website.

Samsung Mobile Firmware: before SMR-JUN-2023

http://security.samsungmobile.com/securityUpdate.smsb?year=2023&month=06

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

29) Improper input validation

EUVDB-ID: #VU76954

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-21108

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to improper input validation within the System component. A remote attacker can trick the victim to open a specially crafted file and execute arbitrary code.

Install update from vendor's website.

Samsung Mobile Firmware: before SMR-JUN-2023

http://security.samsungmobile.com/securityUpdate.smsb?year=2023&month=06

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

30) Improper input validation

EUVDB-ID: #VU76955

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-21130

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to improper input validation within the System component. A remote attacker can trick the victim to open a specially crafted file and execute arbitrary code.

Install update from vendor's website.

Samsung Mobile Firmware: before SMR-JUN-2023

http://security.samsungmobile.com/securityUpdate.smsb?year=2023&month=06

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

31) Buffer overflow

EUVDB-ID: #VU76227

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-26085

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

The vulnerability allows a local application to escalate privileges on the system.

The vulnerability exists due to a boundary error in the Arm NNAPI driver. A local application can trigger memory corruption and execute arbitrary code with elevated privileges.

Install update from vendor's website.

Samsung Mobile Firmware: before SMR-JUN-2023

http://security.samsungmobile.com/securityUpdate.smsb?year=2023&month=06

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

32) Out-of-bounds read

EUVDB-ID: #VU74393

Risk: Low

CVSSv3.1: 3.3 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-46396

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: No

The vulnerability allows a local application to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition. A local application can trigger an out-of-bounds read error and read contents of memory on the system.

Install update from vendor's website.

Samsung Mobile Firmware: before SMR-JUN-2023

http://security.samsungmobile.com/securityUpdate.smsb?year=2023&month=06

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

33) Use-after-free

EUVDB-ID: #VU74387

Risk: Low

CVSSv3.1: 7.7 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-46891

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

The vulnerability allows a local application to escalate privileges on the system.

Install update from vendor's website.

Samsung Mobile Firmware: before SMR-JUN-2023

http://security.samsungmobile.com/securityUpdate.smsb?year=2023&month=06

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

34) Use-after-free

EUVDB-ID: #VU74388

Risk: Low

CVSSv3.1: 7.7 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-46395

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

The vulnerability allows a local application to escalate privileges on the system.

Install update from vendor's website.

Samsung Mobile Firmware: before SMR-JUN-2023

http://security.samsungmobile.com/securityUpdate.smsb?year=2023&month=06

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

35) Use-after-free

EUVDB-ID: #VU74389

Risk: Low

CVSSv3.1: 7.7 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-46394

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

The vulnerability allows a local application to escalate privileges on the system.

Install update from vendor's website.

Samsung Mobile Firmware: before SMR-JUN-2023

http://security.samsungmobile.com/securityUpdate.smsb?year=2023&month=06

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

36) Buffer overflow

EUVDB-ID: #VU76226

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-0877

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

The vulnerability allows a local application to escalate privileges on the system.

The vulnerability exists due to a boundary error in PowerVR-GPU. A local user can trigger memory corruption and execute arbitrary code with elevated privileges.

Install update from vendor's website.

Samsung Mobile Firmware: before SMR-JUN-2023

http://security.samsungmobile.com/securityUpdate.smsb?year=2023&month=06

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

37) Security features bypass

EUVDB-ID: #VU76224

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-21102

CWE-ID: CWE-254 - Security Features

Exploit availability: No

The vulnerability allows a local application to escalate privileges on the system.

The vulnerability exists die to a logic error within the __efi_rt_asm_wrapper() function in efi-rt-wrapper.S. A local application can bypass the shadow stack protection and execute arbitrary code with elevated privileges.

Install update from vendor's website.

Samsung Mobile Firmware: before SMR-JUN-2023

http://security.samsungmobile.com/securityUpdate.smsb?year=2023&month=06

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

38) Double Free

EUVDB-ID: #VU76225

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-21106

CWE-ID: CWE-415 - Double Free

Exploit availability: No

The vulnerability allows a local application to escalate privileges on the system.

The vulnerability exists due to a boundary error within the adreno_set_param() function in adreno_gpu.c. A local application can trigger a double free error and execute arbitrary code with elevated privileges.

Install update from vendor's website.

Samsung Mobile Firmware: before SMR-JUN-2023

http://security.samsungmobile.com/securityUpdate.smsb?year=2023&month=06

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

39) Improper input validation

EUVDB-ID: #VU75747

Risk: Low

CVSSv3.1: 2 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-20697

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

The vulnerability allows a local privileged application to gain access to sensitive information.

The vulnerability exists due to a missing bounds check within keyinstall. A local privileged application can gain access to sensitive information.

Install update from vendor's website.

Samsung Mobile Firmware: before SMR-JUN-2023

http://security.samsungmobile.com/securityUpdate.smsb?year=2023&month=06

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

40) Improper Access Control

EUVDB-ID: #VU75743

Risk: Low

CVSSv3.1: 2.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-20726

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

The vulnerability allows a local application to gain access to sensitive information.

The vulnerability exists due to a missing permission check within mnld. A local application can gain access to sensitive information.

Install update from vendor's website.

Samsung Mobile Firmware: before SMR-JUN-2023

http://security.samsungmobile.com/securityUpdate.smsb?year=2023&month=06

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

41) Stack-based buffer overflow

EUVDB-ID: #VU75870

Risk: Low

CVSSv3.1: 6.3 [CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-47470

CWE-ID: CWE-121 - Stack-based buffer overflow

Exploit availability: No

The vulnerability allows a local privileged application to compromise the affected device.

The vulnerability exists due to a possible out of bounds read due to a missing bounds check within the ext4fsfilter driver in Kernel. A local privileged application can compromise the affected device.

Install update from vendor's website.

Samsung Mobile Firmware: before SMR-JUN-2023

http://security.samsungmobile.com/securityUpdate.smsb?year=2023&month=06

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

42) Improper input validation

EUVDB-ID: #VU75744

Risk: Low

CVSSv3.1: 5.8 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-20694

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

The vulnerability allows a local privileged application to execute arbitrary code.

The vulnerability exists due to a missing bounds check within preloader. A local privileged application can execute arbitrary code.

Install update from vendor's website.

Samsung Mobile Firmware: before SMR-JUN-2023

http://security.samsungmobile.com/securityUpdate.smsb?year=2023&month=06

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

43) Improper input validation

EUVDB-ID: #VU75745

Risk: Low

CVSSv3.1: 5.8 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-20695

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

The vulnerability allows a local privileged application to execute arbitrary code.

The vulnerability exists due to a missing bounds check within preloader. A local privileged application can execute arbitrary code.

Install update from vendor's website.

Samsung Mobile Firmware: before SMR-JUN-2023

http://security.samsungmobile.com/securityUpdate.smsb?year=2023&month=06

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

44) Improper input validation

EUVDB-ID: #VU75746

Risk: Low

CVSSv3.1: 5.8 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-20696

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

The vulnerability allows a local privileged application to execute arbitrary code.

The vulnerability exists due to a missing bounds check within preloader. A local privileged application can execute arbitrary code.

Install update from vendor's website.

Samsung Mobile Firmware: before SMR-JUN-2023

http://security.samsungmobile.com/securityUpdate.smsb?year=2023&month=06

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

45) Type conversion

EUVDB-ID: #VU75621

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-21665

CWE-ID: CWE-704 - Type conversion

Exploit availability: No

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation in Graphics. A local application can execute arbitrary code.

Install update from vendor's website.

Samsung Mobile Firmware: before SMR-JUN-2023

http://security.samsungmobile.com/securityUpdate.smsb?year=2023&month=06

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

46) Memory leak

EUVDB-ID: #VU75622

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-21666

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation in Graphics. A local application can execute arbitrary code.

Install update from vendor's website.

Samsung Mobile Firmware: before SMR-JUN-2023

http://security.samsungmobile.com/securityUpdate.smsb?year=2023&month=06

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

47) Reachable Assertion

EUVDB-ID: #VU75618

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-40508

CWE-ID: CWE-617 - Reachable Assertion

Exploit availability: No

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation in Modem. A remote attacker can perform a denial of service (DoS) attack.

Install update from vendor's website.

Samsung Mobile Firmware: before SMR-JUN-2023

http://security.samsungmobile.com/securityUpdate.smsb?year=2023&month=06

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

48) Reachable Assertion

EUVDB-ID: #VU75616

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-40504

CWE-ID: CWE-617 - Reachable Assertion

Exploit availability: No

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation in Modem. A remote attacker can perform a denial of service (DoS) attack.

Install update from vendor's website.

Samsung Mobile Firmware: before SMR-JUN-2023

http://security.samsungmobile.com/securityUpdate.smsb?year=2023&month=06

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

49) Reachable Assertion

EUVDB-ID: #VU75615

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-34144

CWE-ID: CWE-617 - Reachable Assertion

Exploit availability: No

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation in Modem. A remote attacker can perform a denial of service (DoS) attack.

Install update from vendor's website.

Samsung Mobile Firmware: before SMR-JUN-2023

http://security.samsungmobile.com/securityUpdate.smsb?year=2023&month=06

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

50) NULL Pointer Dereference

EUVDB-ID: #VU75614

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-33305

CWE-ID: CWE-476 - NULL Pointer Dereference

Exploit availability: No

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation in Modem. A remote attacker can perform a denial of service (DoS) attack.

Install update from vendor's website.

Samsung Mobile Firmware: before SMR-JUN-2023

http://security.samsungmobile.com/securityUpdate.smsb?year=2023&month=06

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

51) Buffer overflow

EUVDB-ID: #VU75872

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-47487

CWE-ID: CWE-120 - Buffer overflow

Exploit availability: No

The vulnerability allows a remote attacker to read and manipulate data.

The vulnerability exists due to a possible out of bounds write due to a missing bounds check within the thermal service in Android. A remote attacker can trick the victim to open a specially crafted file and read and manipulate data.

Install update from vendor's website.

Samsung Mobile Firmware: before SMR-JUN-2023

http://security.samsungmobile.com/securityUpdate.smsb?year=2023&month=06

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

52) Out-of-bounds write

EUVDB-ID: #VU75869

Risk: Low

CVSSv3.1: 6.3 [CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-47469

CWE-ID: CWE-787 - Out-of-bounds write

Exploit availability: No

The vulnerability allows a local privileged application to compromise the affected device.

The vulnerability exists due to a possible out of bounds read due to a missing bounds check within the ext4fsfilter driver in Kernel. A local privileged application can compromise the affected device.

Install update from vendor's website.

Samsung Mobile Firmware: before SMR-JUN-2023

http://security.samsungmobile.com/securityUpdate.smsb?year=2023&month=06

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.