High

Out-of-Bounds Write in Samsung Exynos NPU Driver

IdentifiersCVE-2025-23107CWE-787· Out-of-bounds Write

CVE-2025-23107 is a high-severity out-of-bounds write vulnerability in the Samsung Exynos NPU driver affecting Exynos 1480 and Exynos 2400 platforms. The flaw is caused by a missing length check in the fill_vs4l_buffer function. That function copies reserved buffer metadata from the kernel-side queue_list back into a user-supplied vs4l_container_list structure, but iterates using kernel-side counts without verifying that the destination user-supplied container arrays are large enough. As a result, if c->count is smaller than queue_list->count, or if c->containers[i].count is smaller than queue_list->containers[i].count, the function can write past the end of the supplied buffer. The issue is reachable from the untrusted_app SELinux context and was demonstrated on Samsung Galaxy S24+ devices running Android 14, enabling local privilege escalation.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can allow a local attacker, including a malicious third-party Android application running with low privileges, to corrupt memory via out-of-bounds writes in the NPU driver. According to the provided context, this can lead to arbitrary writes into adjacent kernel memory and result in local privilege escalation. The CVSS 3.1 vector provided is AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating potential high impact to confidentiality, integrity, and availability.

Mitigation

If you can’t patch tonight, do this now.

Until patched firmware is deployed, reduce exposure by preventing installation of untrusted third-party applications, especially on affected Samsung devices and Exynos 1480/2400 platforms. Enterprise controls such as application allow-listing, MDM-enforced installation restrictions, and rapid deployment of Samsung security updates can reduce risk. No specific vendor mitigation beyond patching was provided in the supplied content.

Remediation

Patch, then assume compromise.

Samsung released a patch for CVE-2025-23107 through a Samsung Product Security Update on 2025-06-01. Remediation is to apply Samsung's security update that corrects the missing length validation in the affected NPU driver code path, specifically ensuring proper bounds checking in fill_vs4l_buffer before copying kernel-side metadata into user-controlled structures.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

Samsung ElectronicsExynos 1480 Firmwareoperating_system

Samsung ElectronicsExynos 2400 Firmwareoperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

starlabs sgNews

Jun 1, 2025

(CVE-2025-23107) Samsung Exynos NPU Driver Out-of-Bounds Write via Undersized User Buffer | STAR Labs

A high-severity local privilege escalation vulnerability in the Samsung Exynos NPU driver caused by a missing length check that leads to an out-of-bounds write via an undersized user buffer.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity1

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2025-23107

NVD

nvd.nist.gov/vuln/detail/CVE-2025-23107

MITRE CWE · CWE-787

Out-of-bounds Write

Vendor Advisory

semiconductor.samsung.com/support/quality-support/product-security-updates

Vendor Advisory

semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-23107