CVE-2021-25370

What is the Samsung DPU Driver?

The Samsung Galaxy DPU (Display Processing Unit) driver manages the hardware display pipeline — controlling how framebuffers are processed, blended, and output to the display hardware. As a kernel-mode driver that handles file descriptors for display buffers and manages DMA (Direct Memory Access) for display operations, the DPU driver maintains references to kernel objects associated with display resources. Incorrect handling of file descriptors in the DPU driver — specifically failing to properly track object lifetime when file descriptors are closed and reopened — can lead to use-after-free conditions where the driver continues to reference a freed kernel object, providing a controlled kernel memory write primitive exploitable for privilege escalation.

Overview

CVE-2021-25370 is a use-after-free vulnerability (CWE-416) in Samsung Galaxy's DPU (Display Processing Unit) kernel driver caused by incorrect file descriptor handling. The memory corruption results in a kernel panic or, with exploitation, a controlled kernel write primitive. It is the third and final stage of a three-CVE Samsung exploit chain: CVE-2021-25337 (clipboard service file access) → CVE-2021-25369 (Mali GPU sec_log KASLR defeat) → CVE-2021-25370 (DPU UAF kernel escalation to root). All three were patched in Samsung's March 2021 Security Bulletin and added to CISA KEV in November 2022. The conservative CVSS physical attack vector (AV:P) reflects NVD's assessment of the standalone vulnerability; in the full chain, effective exploitation is achievable remotely.

Affected Versions

Technical Details

• Root cause: Use-after-free (CWE-416) via incorrect file descriptor handling in the DPU driver — when a file descriptor associated with a display buffer or DPU resource is closed, the driver fails to properly invalidate all references to the associated kernel object; subsequent operations on the freed object through stale references cause memory corruption
• Memory corruption outcome: The UAF provides a controlled write to freed kernel heap memory; with the KASLR offset from CVE-2021-25369, the attacker can calculate the target address for the write and overwrite security-critical kernel structures (such as process credentials or security policy data) to escalate from the attacker's current privilege to root
• AV:P CVSS note: The Physical attack vector in the NVD CVSS scoring is conservative — in the three-CVE chain where CVE-2021-25337 provides the initial file access (requiring only local code execution) and CVE-2021-25369 provides the KASLR defeat, the DPU UAF is triggered by local code rather than requiring physical access; the AV:P may reflect that standalone exploitation of CVE-2021-25370 in isolation would be extremely difficult without the chain components
• Kernel panic as exploitation indicator: The vulnerability can result in a kernel panic (device crash) if exploitation fails — an observable artifact that may appear in crash logs on targeted devices
• Chain completion: CVE-2021-25370 is the highest-impact component of the chain — C:H/I:H/A:H full kernel compromise provides the attacker with root access to all device data, persistent installation capability, and surveillance capability including microphone, camera, and location access

Discovery

Patched in Samsung's March 2021 Security Bulletin alongside CVE-2021-25337 and CVE-2021-25369. The simultaneous CISA KEV addition of all three CVEs in November 2022 indicates forensic discovery of the complete chain in active surveillance targeting — the DPU UAF as the kernel escalation endpoint confirms the chain was functional and deployed against real Samsung Galaxy targets.

Exploitation Context

DPU driver vulnerabilities are a specialized attack surface within Samsung's custom Android kernel. The DPU driver handles display operations for all Samsung Galaxy screen output and operates at high privilege in kernel space. Commercial mobile surveillance vendors invest in finding kernel UAF vulnerabilities in OEM-specific drivers like the DPU driver because: (1) they are not present in AOSP Android (Samsung-specific), (2) they often receive less security scrutiny than core Android kernel components, and (3) they are accessible from user-space via the display subsystem. The full chain (clipboard + sec_log + DPU UAF) gives an attacker complete Samsung Galaxy device compromise from a zero-click or single-interaction starting point.

Remediation

1. Apply Samsung March 2021 Security Bulletin updates — patches all three chain CVEs simultaneously, requiring all components to be present for exploitation
2. Verify security patch level is 2021-03-01 or later: Settings → About Phone → Android Security Update
3. Enable automatic Samsung security updates
4. For Samsung Knox-enabled enterprise devices: enable Real-time Kernel Protection (RKP) which monitors kernel integrity and can detect kernel UAF exploitation attempts
5. Review device crash logs (Settings → About Phone → Status → if available) for unexpected kernel panics that may indicate failed exploitation attempts
6. End-of-life Samsung Galaxy devices that no longer receive security updates remain permanently vulnerable to this chain and should be replaced for high-risk users