CVE-2021-25369

What is the Samsung Mali GPU sec_log?

Samsung Galaxy devices using Mali GPUs (ARM's GPU architecture) include a diagnostic logging interface accessible via the sec_log file in the kernel's GPU subsystem. This log file records GPU driver events and may contain kernel object addresses, memory layout information, or other data useful for debugging. When the sec_log interface is accessible to userspace applications without appropriate privilege controls (CWE-200: Exposure of Sensitive Information to an Unauthorized Actor), any local process can read kernel memory addresses — effectively defeating Kernel Address Space Layout Randomization (KASLR) that is designed to prevent attackers from knowing where kernel objects reside in memory.

Overview

CVE-2021-25369 is an improper access control vulnerability (CWE-200) in the Samsung Galaxy Mali GPU's sec_log file that exposes sensitive kernel information to userspace processes. Reading the sec_log leaks kernel object addresses, enabling an attacker to defeat KASLR — a prerequisite for reliable exploitation of kernel memory corruption vulnerabilities. CVE-2021-25369 is the second stage of a three-CVE Samsung exploit chain (following CVE-2021-25337 for file system access and preceding CVE-2021-25370 for kernel memory corruption). All three were patched in Samsung's March 2021 Security Bulletin and added to CISA KEV simultaneously in November 2022.

Affected Versions

Technical Details

• Root cause: Information exposure (CWE-200) via improper access control on the Mali GPU sec_log interface — the sec_log file or its equivalent diagnostic interface in the Samsung Galaxy GPU driver is accessible to userspace processes that should not have visibility into kernel memory layout; reading the log exposes kernel address pointers, object identifiers, or memory mappings
• KASLR defeat: The kernel addresses obtained from sec_log allow an attacker to calculate the kernel's ASLR offset — the difference between where the kernel is mapped in memory and its compile-time base address; with this offset, a kernel memory corruption exploit (CVE-2021-25370's DPU driver UAF) can calculate where to write and what to overwrite to achieve privilege escalation
• AV:L/PR:N/UI:N: No privileges required and no user interaction — any local code execution (e.g., from an app installed via CVE-2021-25337's file write capability or from another vulnerability) can read the sec_log to extract kernel addresses
• C:H impact: The high confidentiality impact reflects that kernel address information is security-critical — it breaks the randomization defense that protects the kernel, enabling reliable exploitation of kernel memory corruption vulnerabilities that would otherwise crash the device
• Chain position: CVE-2021-25337 (file write) → CVE-2021-25369 (KASLR defeat via sec_log) → CVE-2021-25370 (kernel UAF with known addresses → root escalation); the three CVEs together provide a complete privilege escalation path from an unprivileged app to kernel root

Discovery

Patched in Samsung's March 2021 Security Bulletin alongside CVE-2021-25337 and CVE-2021-25370. CISA's simultaneous November 2022 KEV addition of all three CVEs reflects forensic documentation of the complete exploitation chain in targeted surveillance attacks — the three CVEs were used together, so all three were added to KEV at the same time.

Exploitation Context

KASLR bypass vulnerabilities in GPU diagnostic logs are a well-understood class of information disclosure that transforms otherwise-unreliable kernel exploits into reliable ones. CVE-2021-25369's accessibility (no privileges required, no user interaction) makes it particularly useful in exploit chains where the attacker has achieved some code execution but needs kernel address information before proceeding to the memory corruption step. In the Samsung chain, this vulnerability fills the critical role of KASLR defeat that in other exploit chains might require a separate, harder-to-exploit kernel vulnerability. This chain pattern (file access + info leak + UAF) is typical of commercial mobile surveillance tooling deployed against Samsung Galaxy targets.

Remediation

1. Apply Samsung March 2021 Security Bulletin updates — patches all three chain CVEs (CVE-2021-25337, CVE-2021-25369, CVE-2021-25370) together
2. Verify security patch level is 2021-03-01 or later: Settings → About Phone → Android Security Update
3. Enable automatic Samsung security updates
4. For enterprise: enforce minimum Samsung security patch level via Knox MDM policies; flag any device below March 2021 SPL for immediate remediation
5. For high-risk individuals: verify and update Samsung devices immediately; consider Samsung Knox protections including Real-time Kernel Protection (RKP)
6. Devices that no longer receive Samsung security updates (end-of-life models) remain permanently vulnerable to this chain