What is the MFC Charger Driver Race Condition?
Samsung Galaxy devices' MFC (Multi-Function Charger) charger driver manages USB charging and Power Delivery functionality. The driver handles concurrent operations — interrupt handlers responding to hardware events and kernel threads managing charging state — that access shared data structures. When proper synchronization (locking) is absent or insufficient, two concurrent execution paths can simultaneously access the same driver object. This concurrent execution using shared resources without proper synchronization (CWE-362) creates a time-of-check-to-time-of-use (TOCTOU) window where the state assumed by one code path changes before the operation completes, potentially resulting in memory corruption or a use-after-free exploitable for kernel privilege escalation.
Overview
CVE-2021-25395 is a race condition vulnerability (CWE-362) in Samsung Galaxy's MFC charger driver that leads to a use-after-free allowing a kernel write primitive, exploitable after a radio privilege compromise. It is paired with CVE-2021-25394 (CWE-416 UAF via a related race in the same driver), both patched in Samsung's May 2021 Security Bulletin and both added to CISA KEV in June 2023. The race condition in CVE-2021-25395 occurs in the charger driver's concurrent handling of charging events — with sufficient timing control, the race can be won to create a use-after-free primitive providing a kernel memory write. Like CVE-2021-25394, exploitation requires an initial compromise of the radio privilege process (PR:H).
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| Samsung Galaxy devices (affected charger driver versions) | Yes | Samsung May 2021 Security Bulletin (SMR May-2021) |
Technical Details
- Root cause: Race condition (CWE-362) in the MFC charger driver — concurrent execution paths in the kernel driver access shared driver state without adequate synchronization; the race condition creates a window where a kernel object's state is inconsistent between two concurrent accesses, potentially leading to a use-after-free or type confusion
- Use-after-free outcome: The race condition results in a UAF similar to CVE-2021-25394 — a freed kernel object is accessed through a stale pointer, providing a controlled kernel heap write primitive
- Prerequisite radio privilege: Like CVE-2021-25394, exploitation requires having compromised a process running with radio/telephony privilege on the Samsung device — indicating this is a step in a multi-stage mobile exploitation chain rather than a standalone attack
- CVE-2021-25394 relationship: CVE-2021-25395 (CWE-362 race condition) and CVE-2021-25394 (CWE-416 UAF resulting from a related race) are in the same driver and patch; they may represent two distinct exploitation paths for similar underlying synchronization weaknesses in the charger driver
- Kernel exploitation outcome: Winning the race condition provides a kernel write primitive — with controlled heap layout (spray), the attacker achieves type confusion and can overwrite security-critical kernel structures to escalate privilege from the radio process to root
Discovery
Discovered alongside CVE-2021-25394 and patched in Samsung's May 2021 Security Bulletin. Both vulnerabilities share the same MFC charger driver component, the same prerequisite (radio privilege), and the same exploitation outcome (kernel write → root escalation). CISA's June 2023 KEV addition reflects confirmed targeted exploitation of Samsung devices, consistent with mobile surveillance operations.
Exploitation Context
See CVE-2021-25394 for the broader exploitation context of Samsung MFC charger driver vulnerabilities. CVE-2021-25395 and CVE-2021-25394 together represent redundant exploitation paths for the same attack objective — kernel privilege escalation via the charger driver after radio service compromise. Having two vulnerability paths in the same component increases an exploit chain's reliability (if one race condition is won inconsistently, the other may be more reliable under specific device conditions). Both were patched simultaneously and both were added to KEV simultaneously, confirming they were observed in use together.
Remediation
- Apply Samsung May 2021 Security Bulletin updates — patches both CVE-2021-25394 and CVE-2021-25395 in the same update
- Verify security patch level is 2021-05-01 or later: Settings → About Phone → Android Security Update
- Enable automatic Samsung software updates for security patches
- For enterprise mobile management: enforce minimum security patch level via Samsung Knox MDM policies
- Enable Samsung Knox Real-time Kernel Protection (RKP) on supported devices to monitor kernel integrity and detect exploitation attempts
- Replace Galaxy devices that no longer receive Samsung security updates — end-of-life devices remain permanently vulnerable to known kernel vulnerabilities
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2021-25395 |
| Vendor / Product | Samsung — Mobile Devices |
| NVD Published | 2021-06-11 |
| NVD Last Modified | 2025-10-30 |
| CVSS 3.1 Score | 6.4 |
| CVSS 3.1 Vector | CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H |
| Severity | MEDIUM |
| CWE | CWE-362 find similar ↗ |
| CISA KEV Added | 2023-06-29 |
| CISA KEV Deadline | 2023-07-20 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2021-05-01 | Samsung May 2021 Security Bulletin patches CVE-2021-25394 and CVE-2021-25395 |
| 2021-06-11 | CVE published |
| 2023-06-29 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2023-07-20 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| Samsung Mobile Security Update — May 2021 | Vendor Advisory |
| NVD — CVE-2021-25395 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |