CVE-2025-20929
Published: 06 March 2025
Description
Adversaries may exploit software vulnerabilities in client applications to execute code.
Security Summary
CVE-2025-20929 is an out-of-bounds write vulnerability (CWE-787) in the JPEG image parsing component of the Samsung Notes application, affecting versions prior to 4.4.26.71. Published on 2025-03-06, the issue has a CVSS v3.1 base score of 7.3 (AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L), indicating high integrity impact potential with low requirements for exploitation.
Local attackers with access to the device can exploit this vulnerability by providing a specially crafted JPEG image to Samsung Notes, leading to arbitrary code execution. No user privileges or interaction are required, and the attack complexity is low, making it feasible for unprivileged local users.
Samsung's security advisory for March 2025 (https://security.samsungmobile.com/serviceWeb.smsb?year=2025&month=03) addresses the vulnerability, with the fix available in Samsung Notes version 4.4.26.71. Security practitioners should ensure devices are updated to this version or later to mitigate the risk.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Out-of-bounds write in JPEG parsing component of client application (Samsung Notes) directly enables arbitrary code execution via crafted image with no user interaction required, mapping to Exploitation for Client Execution.