CVE-2021-25372

What is the Samsung DSP Driver Boundary Check?

The Samsung DSP (Digital Signal Processor) kernel driver handles memory allocation and management for DSP workloads. When user-space or kernel code submits work to the DSP, the driver allocates memory buffers, validates parameters, and manages the DMA (Direct Memory Access) transfers between the main processor's memory and DSP-accessible memory. Improper boundary checking (CWE-787: Out-of-Bounds Write) in the driver's parameter validation means that attacker-controlled buffer sizes or memory offsets can cause writes beyond the end of allocated buffers into adjacent kernel memory — potentially corrupting kernel data structures, function pointers, or security controls in the kernel's DSP driver subsystem.

Overview

CVE-2021-25372 is an improper boundary check vulnerability (CWE-787: Out-of-Bounds Write) in the Samsung Galaxy DSP kernel driver. Insufficient validation of input parameters allows out-of-bounds memory access, enabling kernel memory corruption. It is paired with CVE-2021-25371 (hidden ELF loading into DSP) in the same driver, both patched in Samsung's March 2021 Security Bulletin. CISA added both to KEV in June 2023, simultaneously with the Samsung MFC charger driver CVEs (CVE-2021-25394/25395), indicating they were documented together as components of targeted Samsung device exploitation chains.

Affected Versions

Technical Details

• Root cause: Out-of-bounds write (CWE-787) in the DSP kernel driver — user-supplied or computed buffer sizes or offset parameters passed to DSP management functions are not validated against their allocated buffer boundaries; writing beyond the allocated buffer corrupts adjacent kernel memory
• Kernel memory corruption: The out-of-bounds write lands in kernel heap or BSS/data memory adjacent to the DSP driver's allocations; with controlled data content in the write, an attacker can overwrite kernel function pointers, security-sensitive data structures, or credentials structures to achieve privilege escalation
• Paired with CVE-2021-25371: CVE-2021-25371 (ELF code loading) and CVE-2021-25372 (OOB write) are two distinct exploitation capabilities in the Samsung DSP driver discovered and patched together; they may represent alternative paths to DSP driver compromise (arbitrary code loading vs. memory corruption), increasing an exploit chain's reliability when used together
• AC:H / AV:P scoring context: Like CVE-2021-25371, the conservative NVD Physical access scoring reflects the difficulty of exploiting the DSP driver in isolation; within a full exploit chain targeting Samsung Galaxy devices, a prior exploitation step can reach the DSP driver interface, making the effective attack complexity lower than the standalone CVSS suggests
• Full compromise outcome (C:H/I:H/A:H): The out-of-bounds write can result in complete device compromise — arbitrary code execution, full data access, and availability impact — when successfully exploited for kernel privilege escalation

Discovery

Patched in Samsung's March 2021 Security Bulletin alongside CVE-2021-25371. The simultaneous June 2023 CISA KEV addition with CVE-2021-25371 and Samsung MFC charger driver CVEs (CVE-2021-25394/25395) suggests all four Samsung-specific kernel driver vulnerabilities were observed in active exploitation during the same investigation period — possibly by the same threat actor or commercial surveillance vendor using a comprehensive Samsung Galaxy exploitation toolkit.

Exploitation Context

Samsung-specific DSP driver vulnerabilities represent a high-value but narrow attack surface — they require Samsung Galaxy devices specifically (not generic Android) and knowledge of Samsung's proprietary DSP driver interface. The coexistence of CVE-2021-25372 (OOB write for code execution) and CVE-2021-25371 (ELF loading for coprocessor code execution) in the same driver suggests dedicated reverse engineering of Samsung's DSP subsystem. Together with the MFC charger driver chain (CVE-2021-25394/25395), these represent multiple parallel exploitation paths into Samsung Galaxy kernel space — the pattern of redundant exploitation paths is characteristic of commercial surveillance tooling designed for reliability against specific high-value targets.

Remediation

1. Apply Samsung March 2021 Security Bulletin updates — patches both CVE-2021-25371 and CVE-2021-25372 simultaneously
2. Verify security patch level is 2021-03-01 or later: Settings → About Phone → Android Security Update
3. Enable automatic Samsung security updates
4. For enterprise: enforce minimum March 2021 security patch level via Samsung Knox MDM for all managed Galaxy devices
5. Samsung Knox Real-time Kernel Protection (RKP) can detect kernel memory corruption attempts including out-of-bounds writes in kernel drivers
6. Replace end-of-life Samsung Galaxy devices that no longer receive security updates — unpatched Samsung kernel driver vulnerabilities cannot be remediated without OEM firmware updates