CVE-2021-25394

What is Samsung's MFC Charger Driver?

Samsung Galaxy devices include a Multi-Function Charger (MFC) driver that manages the device's USB charging interface — particularly the USB Power Delivery negotiation, USB connectivity modes, and charging protocols. This driver operates in the Linux kernel and manages hardware resources related to the device's USB and charging functionality. Because the charger driver operates in kernel space and handles hardware interrupts and device events, race conditions in its implementation can lead to use-after-free vulnerabilities exploitable for kernel privilege escalation. The "radio privilege" precondition for CVE-2021-25394 suggests exploitation requires compromising a system process with radio/telephony access — consistent with an exploit chain stage following initial compromise of a lower-privileged system service.

Overview

CVE-2021-25394 is a race condition vulnerability (CWE-416, use-after-free) in Samsung Galaxy's MFC charger driver. A race condition in the driver's concurrent access management leads to a use-after-free, providing a kernel memory write primitive. Exploitation requires High Privileges (PR:H, specifically a compromised radio privilege process) and High Complexity (AC:H, timing-dependent race condition). CVE-2021-25394 is paired with CVE-2021-25395 (another race condition in the same driver, CWE-362). Both vulnerabilities were patched in Samsung's May 2021 Security Bulletin and added to CISA KEV in June 2023, indicating use in targeted mobile device exploitation chains, likely for surveillance purposes.

Affected Versions

Technical Details

• Root cause: Use-after-free (CWE-416) via race condition in the MFC charger driver — concurrent access to driver data structures by interrupt handlers or concurrent threads creates a timing window where a kernel object is freed while another code path retains a pointer; the subsequent access through the stale pointer corrupts kernel memory
• Prerequisite: radio privilege compromise: PR:H — exploitation requires that the attacker has already compromised a process with "radio" privilege (the Android radio/telephony service that interacts with the baseband modem); this is a specific system-level privilege, suggesting CVE-2021-25394 is a stage-2 or later component of a multi-step exploit chain
• Kernel write primitive: The use-after-free provides a controlled kernel write — by controlling the memory that occupies the freed object's location (kernel heap spray), the attacker achieves type confusion and can overwrite kernel security structures to escalate from the radio process to full kernel privilege (root)
• AC:H timing dependency: Reliably winning the race condition requires precise timing control, achievable via kernel timing manipulation techniques; sophisticated actors can develop reliable race condition exploits but requires more effort than deterministic memory corruption
• Exploit chain role: CVE-2021-25394 and CVE-2021-25395 are likely components of a complete mobile surveillance chain: (1) initial app or browser exploit → (2) radio service compromise → (3) CVE-2021-25394/25395 kernel UAF → (4) root access → persistent surveillance

Discovery

Patched in Samsung's May 2021 Security Bulletin (SMR May-2021 Release 1). CISA's June 2023 KEV addition (two years after patch) reflects confirmed targeted exploitation of Samsung Galaxy devices — consistent with commercial mobile surveillance vendor deployment chains targeting government officials, journalists, or activists using Samsung devices.

Exploitation Context

Samsung-specific kernel driver vulnerabilities with the profile of CVE-2021-25394 (complex, high-privilege, full compromise impact) are primarily used in targeted mobile device surveillance operations. The pairing with CVE-2021-25395 (concurrent patch in the same Samsung security bulletin) suggests both were discovered and used together. Samsung Galaxy devices are widely deployed in enterprise and government environments, making kernel LPE vulnerabilities in Samsung-specific drivers high-value for actors targeting these populations. The June 2023 CISA KEV addition reflects intelligence or forensic evidence of exploitation in high-priority targets.

Remediation

1. Apply Samsung May 2021 Security Bulletin updates for all affected Samsung Galaxy devices
2. Verify the device's security patch level: Settings → About Phone → Android Security Update — confirm the patch level is 2021-05-01 or later
3. Enable automatic security updates on Samsung Galaxy devices: Settings → Software Update → Auto download and install
4. For enterprise Samsung device management: deploy Samsung Knox MDM policies requiring minimum security patch level compliance
5. For high-risk individuals (government officials, journalists, activists): consider using Samsung devices at their current security patch level; replace devices that no longer receive security updates
6. Apply Samsung Knox protections available on enterprise Galaxy devices — Knox Real-time Kernel Protection (RKP) limits the impact of kernel LPE exploits by monitoring for kernel integrity violations