Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
Medium

Samsung Exynos NPU Driver Double Free Leading to Privilege Escalation

IdentifiersCVE-2025-23095CWE-415· Double Free

CVE-2025-23095 is a double-free vulnerability in the Samsung Exynos NPU driver affecting Samsung Mobile Processor Exynos 1280, 1380, 1480, 2200, and 2400, including Samsung Galaxy S24+ on Android 14. The flaw is reported in the __prepare_IMB_info function, which allocates an IMB_info object and stores it in session->IMB_info before validating session->IMB_size. If the size check fails, execution follows an error path that frees IMB_info but does not clear the session->IMB_info pointer, leaving a dangling pointer to a freed kernel heap object. During later session teardown, including _undo_s_graph_each_state processing and imb_ion_unmap, the stale pointer is freed again, resulting in a double free in kernel context. Samsung states the issue is exploitable from the untrusted_app SELinux context and can be used for local privilege escalation.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows a local attacker with low privileges to escalate privileges to root. Because the bug is in kernel-space driver code and affects a kernel heap object, exploitation can result in full compromise of confidentiality, integrity, and availability on the affected device. Samsung’s published CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) reflects high impact across all three security objectives.

Mitigation

If you can’t patch tonight, do this now.

Until patched firmware is deployed, mitigation options are limited because the flaw is in a kernel driver reachable from a local application context. Reduce exposure by restricting installation and execution of untrusted applications, enforcing application allowlisting where possible, and maintaining strong mobile device management controls. Because Samsung states exploitation is possible from the untrusted_app SELinux context with no user interaction, there is no reliable end-user behavioral mitigation; patching is the primary mitigation.

Remediation

Patch, then assume compromise.

Apply Samsung’s security update released on June 4, 2025, for CVE-2025-23095 through the Samsung Product Security Update channel. The underlying fix should ensure that after IMB_info is freed on the error path in __prepare_IMB_info, the corresponding session->IMB_info pointer is cleared or otherwise invalidated so it cannot be freed again during teardown. Devices using affected Exynos chipsets should be updated to vendor-provided patched firmware/builds as soon as available.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
Samsung ElectronicsExynos 1280 Firmwareoperating_system
Samsung ElectronicsExynos 1380 Firmwareoperating_system
Samsung ElectronicsExynos 1480 Firmwareoperating_system
Samsung ElectronicsExynos 2200 Firmwareoperating_system
Samsung ElectronicsExynos 2400 Firmwareoperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity1

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2025-23095
NVD
nvd.nist.gov/vuln/detail/CVE-2025-23095
MITRE CWE · CWE-415
Double Free
Vendor Advisory
semiconductor.samsung.com/support/quality-support/product-security-updates
Vendor Advisory
semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-23095