CVE-2025-20881

High

Published: 04 February 2025

Published

04 February 2025

Modified

12 February 2025

KEV Added

—

Patch

—

CVSS Score 7.0 CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0006 19.5th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

Out-of-bounds write in accessing buffer storing the decoded video frames in libsthmbc.so prior to SMR Jan-2025 Release 1 allows local attackers to execute arbitrary code with privilege. User interaction is required for triggering this vulnerability.

Security Summary

CVE-2025-20881 is an out-of-bounds write vulnerability in the libsthmbc.so library, specifically when accessing the buffer that stores decoded video frames. This issue affects the library in versions prior to the Samsung Monthly Release (SMR) Jan-2025 Release 1. Classified under CWE-787, it has a CVSS v3.1 base score of 7.0 (AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H), indicating high confidentiality, integrity, and availability impacts.

Local attackers with no required privileges can exploit this vulnerability, but it demands high attack complexity and user interaction to trigger. Successful exploitation enables arbitrary code execution with elevated privileges on the affected device.

Samsung's security advisory for January 2025, available at https://security.samsungmobile.com/securityUpdate.smsb?year=2025&month=01, details the patch in SMR Jan-2025 Release 1, recommending users apply the update to mitigate the risk.

Details

CWE(s): CWE-787

Affected Products

samsung

android

12.0, 13.0, 14.0

References

https://security.samsungmobile.com/securityUpdate.smsb?year=2025&month=01
Vendor Advisory · mobile.security@samsung.com