What is Samsung's Modem Interface Driver?
Samsung Android devices include proprietary modem interface drivers that manage communication between the Android userspace and the baseband modem (the separate processor that handles cellular radio communication). These drivers are kernel-mode components providing privileged access to modem functionality. Because the modem operates at a different security boundary from the Android application layer, vulnerabilities in modem interface drivers can have Scope: Changed impacts — they can affect the modem subsystem or cross security boundaries in ways that standard userspace vulnerabilities cannot. Modem and baseband vulnerabilities are high-value targets for mobile surveillance tooling because they can enable access to calls, SMS, and other cellular-layer data.
Overview
CVE-2021-25487 is an out-of-bounds read vulnerability (CWE-125) in Samsung mobile devices' modem interface driver. The vulnerability exists in the set_skb_priv() function within the modem interface driver, where a lack of boundary checking on a buffer allows an out-of-bounds read that leads to a dereference of an invalid function pointer — enabling code execution. The Scope: Changed (S:C) rating reflects that successful exploitation can affect components beyond the exploiting application's security boundary, including the modem subsystem. CISA added this to KEV in June 2023, nearly two years after the Samsung October 2021 patch, indicating confirmed exploitation in targeted surveillance campaigns.
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| Samsung devices with October 2021 security patch level or earlier | Yes | October 2021 security patch (SMR-Oct-2021) |
Technical Details
- Root cause: Out-of-bounds read (CWE-125) — the
set_skb_priv()function in Samsung's modem interface kernel driver does not perform adequate boundary checking when accessing a buffer, allowing a read beyond the buffer's allocated region - Function pointer dereference: The OOB read results in dereferencing an invalid (attacker-influenced) function pointer, converting the read primitive into code execution within the kernel modem driver context
- Scope: Changed: The vulnerability affects security boundaries beyond the exploiting application — code execution in the modem interface driver can influence the modem subsystem, giving the exploit cross-boundary impact (C:H/I:L — high confidentiality impact, low integrity impact beyond the app sandbox)
- Attack vector: Local (AV:L) with low privileges (PR:L) — an application running on the device with standard permissions can trigger this vulnerability; typically chained with a renderer or app-level bug for initial code execution
- No user interaction: Once an exploiting app has code execution, the kernel exploit operates silently
- Mobile surveillance value: Access to the modem interface enables interception of cellular communications metadata and provides a persistence mechanism outside the standard Android OS security model
Discovery
Addressed in Samsung's October 2021 Monthly Security Update (SMR-Oct-2021). The two-year delay before CISA KEV addition (June 2023) indicates that exploitation was discovered in the wild — most likely in targeted mobile surveillance tooling against high-value individuals, consistent with the Scope: Changed, confidentiality-focused impact profile.
Exploitation Context
Samsung-specific kernel vulnerabilities in modem interface drivers are valuable to commercial spyware vendors and nation-state mobile exploitation teams because they target Samsung's large market share (particularly in government and enterprise deployments) and can cross modem security boundaries unavailable through standard Android kernel exploits. The Confidentiality: High / Scope: Changed profile is consistent with surveillance use cases — reading communications data from the modem subsystem while maintaining a low integrity-impact footprint consistent with passive surveillance. CISA's KEV addition confirms targeted exploitation, likely against journalists, activists, government officials, or defense sector employees using Samsung devices.
Remediation
- Apply October 2021 Samsung Security Update (SMR-Oct-2021) — ensure device security patch level is 2021-10-01 or later
- Enable automatic security updates: Settings → Software Update → Auto download and install
- For organizations managing Samsung device fleets: enforce minimum security patch level via Samsung Knox or Android Enterprise MDM policies
- If targeted surveillance is suspected, use forensic tools (MVT — Mobile Verification Toolkit by Amnesty International) to check for indicators of compromise
- Consider replacing end-of-life Samsung devices that no longer receive security updates with current models receiving regular patches
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2021-25487 |
| Vendor / Product | Samsung — Mobile Devices |
| NVD Published | 2021-10-06 |
| NVD Last Modified | 2025-10-30 |
| CVSS 3.1 Score | 7.3 |
| CVSS 3.1 Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N |
| Severity | HIGH |
| CWE | CWE-125 find similar ↗ |
| CISA KEV Added | 2023-06-29 |
| CISA KEV Deadline | 2023-07-20 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2021-10-01 | Samsung publishes October 2021 Security Bulletin addressing CVE-2021-25487 |
| 2021-10-06 | CVE published |
| 2023-06-29 | Added to CISA Known Exploited Vulnerabilities catalog — nearly two years after patch, reflecting confirmed targeted exploitation |
| 2023-07-20 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| Samsung Mobile Security — October 2021 Security Bulletin | Vendor Advisory |
| NVD — CVE-2021-25487 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |