CVE-2024-27375

CVSS 6.7 MEDIUMEPSS 0.2%CWE-1288

In short

A Samsung mobile processor fails to validate user input when processing NAN (Neighbor Awareness Networking) requests, allowing an attacker to overwrite memory on the heap and potentially crash the device or execute code.

Technical detail

A missing input validation check on the hal_req->sdea_service_specific_info_len parameter in slsi_nan_followup_get_nl_params() allows userspace to trigger a heap buffer overflow. This requires local access and can result in denial of service or arbitrary code execution within the kernel context.

Summary generated and translated by AI from the official description.

An issue was discovered in Samsung Mobile Processor Exynos 980, Exynos 850, Exynos 1280, Exynos 1380, and Exynos 1330. In the function slsi_nan_followup_get_nl_params(), there is no input validation check on hal_req->sdea_service_specific_info_len coming from userspace, which can lead to a heap overwrite.

CVSS:3.1/AC:L/AV:L/A:H/C:H/I:H/PR:H/S:U/UI:N

Affected products

n/a · n/a

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://semiconductor.samsung.com/support/quality-support/product-security-updates/