CVE-2025-20882

High

Published: 04 February 2025

Published

04 February 2025

Modified

12 February 2025

KEV Added

—

Patch

—

CVSS Score 7.0 CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0006 19.5th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

Out-of-bounds write in accessing uninitialized memory for svc1td in libsthmbc.so prior to SMR Jan-2025 Release 1 allows local attackers to execute arbitrary code with privilege. User interaction is required for triggering this vulnerability.

Security Summary

CVE-2025-20882 is an out-of-bounds write vulnerability (CWE-787) in the svc1td component of libsthmbc.so, affecting Samsung devices prior to the SMR Jan-2025 Release 1. The flaw occurs when accessing uninitialized memory, which can be exploited to execute arbitrary code with elevated privileges. It carries a CVSS v3.1 base score of 7.0 (AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high confidentiality, integrity, and availability impacts.

Local attackers with no privileges can exploit this vulnerability, but it requires user interaction to trigger and involves high attack complexity. Successful exploitation allows arbitrary code execution with privileges, potentially leading to full device compromise if the attacker gains persistent local access.

Samsung's security advisory for the January 2025 monthly release details the patch in SMR Jan-2025 Release 1, recommending that users apply the update to mitigate the issue.

Details

CWE(s): CWE-787

Affected Products

samsung

android

12.0, 13.0, 14.0

References

https://security.samsungmobile.com/securityUpdate.smsb?year=2025&month=01
Vendor Advisory · mobile.security@samsung.com