SB20251008154 - Multiple vulnerabilities in Samsung products

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB20251008154

SB20251008154 - Multiple vulnerabilities in Samsung products

Published: October 8, 2025

Security Bulletin ID SB20251008154
Severity
Medium
Patch available
YES
Number of vulnerabilities 13
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Medium 8% Low 92%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 13 secuirty vulnerabilities.


1) Out-of-bounds write (CVE-ID: CVE-2025-21066)

The vulnerability allows a local attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing untrusted input. A local attacker can trigger an out-of-bounds write and execute arbitrary code on the target system.


2) Out-of-bounds write (CVE-ID: CVE-2025-21067)

The vulnerability allows a local attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing untrusted input. A local attacker can trigger an out-of-bounds write and execute arbitrary code on the target system.


3) Out-of-bounds write (CVE-ID: CVE-2025-21068)

The vulnerability allows a local attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing untrusted input. A local attacker can trigger an out-of-bounds write and execute arbitrary code on the target system.


4) Out-of-bounds write (CVE-ID: CVE-2025-21069)

The vulnerability allows a local attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing untrusted input. A local attacker can trigger an out-of-bounds write and execute arbitrary code on the target system.


5) Out-of-bounds write (CVE-ID: CVE-2025-21070)

The vulnerability allows a local attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing untrusted input. A local attacker can trigger an out-of-bounds write and execute arbitrary code on the target system.


6) Use of implicit intent for sensitive communication (CVE-ID: CVE-2025-21057)

The vulnerability allows a local attacker to gain access to sensitive information on the system.

The vulnerability exists due to use of implicit intent for sensitive communication. A local attacker can access shared notes.


7) Improper access control (CVE-ID: CVE-2025-21058)

The vulnerability allows a local attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions. A local attacker can bypass implemented security restrictions and execute arbitrary code with SystemUI privilege.


8) Improper Authorization (CVE-ID: CVE-2025-21059)

The vulnerability allows a local attacker to bypass authorization checks.

The vulnerability exists due to improper authorization. A local attacker can gain access to data in Samsung Health.


9) Cleartext storage of sensitive information (CVE-ID: CVE-2025-21060)

The vulnerability allows a local attacker to gain access to potentially sensitive information.

The vulnerability exists due to cleartext storage of sensitive information. A local attacker can access backup data from applications.


10) Cleartext storage of sensitive information (CVE-ID: CVE-2025-21061)

The vulnerability allows a local attacker to gain access to potentially sensitive information.

The vulnerability exists due to cleartext storage of sensitive information. A local attacker can access backup data from applications.


11) Use of a broken or risky cryptographic algorithm (CVE-ID: CVE-2025-21062)

The vulnerability allows a local attacker to compromise the target system.

The vulnerability exists due to use of a broken or risky cryptographic algorithm. A local attacker can replace the restoring application.


12) Improper access control (CVE-ID: CVE-2025-21063)

The vulnerability allows a local attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions. An attacker with physical access can bypass implemented security restrictions and access recording files on the lock screen.


13) Command Injection (CVE-ID: CVE-2025-21065)

The vulnerability allows a remote attacker to execute arbitrary commands on the system.

The vulnerability exists due to insufficient input validation. A remote user can pass specially crafted data to the application and execute arbitrary commands.


Remediation

Install update from vendor's website.

References