CVE-2025-20890

High

Published: 04 February 2025

Published

04 February 2025

Modified

12 February 2025

KEV Added

—

Patch

—

CVSS Score 7.0 CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0011 29.2th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

Out-of-bounds write in decoding frame buffer in libsthmbc.so prior to SMR Jan-2025 Release 1 allows local attackers to execute arbitrary code with privilege. User interaction is required for triggering this vulnerability.

Security Summary

CVE-2025-20890 is an out-of-bounds write vulnerability (CWE-787) in the decoding frame buffer of libsthmbc.so, affecting versions prior to SMR Jan-2025 Release 1. Published on 2025-02-04 with a CVSS v3.1 base score of 7.0 (AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H), it enables local attackers to execute arbitrary code with elevated privileges.

Local attackers with no required privileges can exploit this vulnerability, but it demands high attack complexity and user interaction to trigger. Successful exploitation allows arbitrary code execution with privileges, potentially leading to full system compromise on affected Samsung devices.

Samsung's security update advisory for January 2025, available at https://security.samsungmobile.com/securityUpdate.smsb?year=2025&month=01, addresses this issue through the SMR Jan-2025 Release 1, which practitioners should apply to mitigate the vulnerability.

Details

CWE(s): CWE-787

Affected Products

samsung

android

12.0, 13.0, 14.0

References

https://security.samsungmobile.com/securityUpdate.smsb?year=2025&month=01
Vendor Advisory · mobile.security@samsung.com