CVE-2021-25371

What is the Samsung DSP Driver?

Samsung Galaxy devices contain a Digital Signal Processor (DSP) coprocessor managed by the cdsp (Compute DSP) subsystem. The DSP executes machine learning, signal processing, and compute workloads offloaded from the main ARM application processor. The Samsung DSP driver handles the interface between the main processor (running Android) and the DSP firmware — including loading DSP firmware images and libraries. If the DSP driver exposes functionality to load arbitrary ELF (Executable and Linkable Format) libraries into the DSP coprocessor without proper verification or access control (CWE-912: Hidden Functionality), an attacker who reaches the driver can execute arbitrary code on the DSP — a separate processor with different security boundaries than the main ARM processor.

Overview

CVE-2021-25371 is a hidden functionality vulnerability (CWE-912) in the Samsung Galaxy DSP driver that allows an attacker to load arbitrary ELF libraries inside the DSP coprocessor. Loading arbitrary code into the DSP can bypass security checks enforced on the main ARM processor, execute code in a coprocessor with different privilege boundaries, and potentially persist beyond normal OS security controls. It is paired with CVE-2021-25372 (OOB memory access in the same DSP driver) — both were patched in Samsung's March 2021 Security Bulletin. CISA added both to KEV in June 2023 alongside the Samsung MFC charger driver CVEs (CVE-2021-25394/25395), indicating they were part of the same targeted exploitation investigation.

Affected Versions

Technical Details

• Root cause: Hidden functionality (CWE-912) in the DSP driver — the driver exposes a mechanism to load and execute ELF library files directly inside the DSP coprocessor; this functionality lacks adequate verification of the ELF content's origin, signature, or authorization, allowing an attacker with access to the driver interface to load malicious DSP code
• DSP security boundary: The DSP operates as a separate execution environment from the main ARM processor with different security policy enforcement; code executing on the DSP may have direct access to hardware accelerators, DMA channels, and memory regions that the main processor's security model does not fully protect or monitor
• Coprocessor persistence: DSP firmware loaded via this mechanism may persist across reboots if written to DSP-accessible persistent storage, or may execute below the visibility of Android security tools that monitor the main ARM processor but not DSP execution
• Paired with CVE-2021-25372: The DSP driver contains both hidden code loading functionality (CVE-2021-25371) and out-of-bounds memory access (CVE-2021-25372) — together they represent two distinct exploitation paths in the same driver, consistent with targeted research into Samsung's DSP subsystem
• AV:P conservative scoring: The Physical access vector in the NVD CVSS may reflect that standalone DSP driver access requires either physical access or significant prior exploitation; in a full exploit chain where the attacker has gained sufficient privilege via other vulnerabilities, DSP code loading becomes achievable remotely

Discovery

Patched in Samsung's March 2021 Security Bulletin alongside CVE-2021-25372. CISA's June 2023 KEV addition (over two years after the patch, simultaneous with CVE-2021-25372, CVE-2021-25394, and CVE-2021-25395) indicates discovery of multiple Samsung-specific exploit chains in the same forensic investigation period — reflecting ongoing targeted exploitation of Samsung Galaxy devices by sophisticated actors.

Exploitation Context

DSP coprocessor vulnerabilities are a sophisticated attack surface for mobile device exploitation. Because DSP execution often falls outside the visibility of Android security monitoring tools (which focus on the ARM application processor), arbitrary DSP code execution can enable stealthy surveillance capabilities — including processing sensor data, accessing audio streams, or maintaining persistence in a coprocessor that survives Android system restarts. The combination of hidden ELF loading (CVE-2021-25371) and OOB memory access (CVE-2021-25372) in the Samsung DSP driver suggests a targeted research effort into Samsung's proprietary hardware subsystems, consistent with commercial surveillance vendor tool development.

Remediation

1. Apply Samsung March 2021 Security Bulletin updates — patches CVE-2021-25371 and CVE-2021-25372 together
2. Verify security patch level is 2021-03-01 or later: Settings → About Phone → Android Security Update
3. Enable automatic Samsung security updates
4. For enterprise MDM: enforce minimum Samsung security patch level via Knox MDM; prioritize devices with Qualcomm Snapdragon chipsets (which include cdsp DSP) for update compliance
5. Samsung Knox Real-time Kernel Protection (RKP) provides additional monitoring of kernel integrity that can detect exploitation of kernel drivers including DSP-related drivers
6. Replace end-of-life Samsung Galaxy devices that no longer receive security updates