Samsung patches three Exynos NPU driver flaws enabling Android privilege escalation
Samsung has patched three high-severity vulnerabilities in the Exynos NPU driver—CVE-2025-23099, CVE-2025-23103, and CVE-2025-23107—that could allow local privilege escalation on affected Galaxy devices. The flaws impact Samsung Galaxy S24+ devices running Android 14 and systems based on Exynos 1480 and 2400 platforms, and each issue is reachable by a malicious application running in the untrusted_app SELinux context with low privileges and no user interaction. Samsung assigned a CVSS v3.1 score of 7.8 to the bugs and released fixes through Product Security Updates in early June.
The vulnerabilities stem from missing length checks in multiple NPU driver paths, leading to out-of-bounds writes in kernel memory. CVE-2025-23099 involves queue preparation logic that can reuse smaller prior allocations while trusting larger attacker-controlled counts, CVE-2025-23103 arises from an unbounded loop counter in npu_queue_update that can exceed the allocated queue_list size, and CVE-2025-23107 affects fill_vs4l_buffer, which writes kernel-side buffer metadata into an undersized user-supplied structure. STAR Labs SG credited Billy Jheng Bing-Jhong, Muhammad Alifa Ramdhan, and Pan Zhenpeng with reporting the issues.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Samsung patches and publishes CVE-2025-23095
Samsung published CVE-2025-23095 and released a fix through its Product Security Update for a high-severity double-free flaw in the Exynos NPU driver. The bug could allow local privilege escalation to root from the untrusted_app SELinux context on Galaxy S24+ devices running Android 14 and multiple Exynos chipsets.
STAR Labs publicly discloses three Samsung Exynos NPU vulnerabilities
STAR Labs SG published advisories for CVE-2025-23103, CVE-2025-23107, and CVE-2025-23099, detailing out-of-bounds write bugs in the Samsung Exynos NPU driver. The disclosures described local privilege-escalation impact, affected Galaxy S24+ and Exynos 1480/2400 platforms, and technical root causes for each flaw.
Samsung patches CVE-2025-23099
Samsung released a patch for CVE-2025-23099 through its Product Security Update. The high-severity Exynos NPU driver flaw involved an out-of-bounds write caused by missing length checks and could lead to local privilege escalation.
Samsung patches CVE-2025-23103 and CVE-2025-23107
Samsung released fixes for CVE-2025-23103 and CVE-2025-23107 through a Samsung Product Security Update. Both high-severity Exynos NPU driver flaws could enable local privilege escalation on Galaxy S24+ devices running Android 14 and Exynos 1480/2400 platforms.
STAR Labs reports CVE-2025-23103 to Samsung
STAR Labs SG reported CVE-2025-23103, an out-of-bounds write vulnerability in the Samsung Exynos NPU driver, to Samsung. The issue could allow local privilege escalation from the untrusted_app SELinux context on affected Galaxy S24+ devices and Exynos 1480/2400 platforms.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
(CVE-2025-23095) Samsung Exynos NPU Driver Double Free Leading to Privilege Escalation | STAR Labs
starlabs.sg
Open source(CVE-2025-23099) Samsung Exynos NPU Driver Out-of-Bounds Write Leading to Privilege Escalation | STAR Labs
starlabs.sg
Open source(CVE-2025-23103) Samsung Exynos NPU Driver Out-of-Bounds Write via Unbounded Loop Counter | STAR Labs
starlabs.sg
Open source(CVE-2025-23107) Samsung Exynos NPU Driver Out-of-Bounds Write via Undersized User Buffer | STAR Labs
starlabs.sg
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Samsung Galaxy flaws exposed remote image RCE and SystemUI privilege escalation
Samsung disclosed multiple vulnerabilities affecting Galaxy devices, including **remote code execution** flaws in the proprietary Quram image codec and a separate **improper access control** bug in the Routines automation feature. **CVE-2025-21042** and **CVE-2025-21043** are out-of-bounds write issues in `libimagecodec.quram.so` that can be triggered by specially crafted images delivered through MMS, email attachments, messaging apps, or web content, potentially with little or no user interaction. Samsung said **CVE-2025-21042** was fixed in the **April 2025 Security Maintenance Release**, while **CVE-2025-21043** was addressed in the **September 2025 SMR**. The disclosures revive longstanding concerns around Samsung’s proprietary image parsing stack, which Google Project Zero previously showed could be exploited through malformed Qmage images in a **zero-click MMS** chain that achieved code execution on a Galaxy Note 10+. Samsung also patched **CVE-2025-21058**, which allowed a local attacker on Android 15 and 16 devices to execute arbitrary code with **SystemUI privileges** via Galaxy Routines before versions **4.8.7.1** and **4.9.6.0**. Separately, Google fixed Android framework flaw **CVE-2025-32322** in the September 2025 Android Security Bulletin after it was found to let a malicious app bypass the MediaProjection consent dialog and silently capture screen content on Android 13 and 14.
Jun 12, 2026
Qualcomm and Samsung patched critical baseband and firmware flaws in mobile chipsets
Qualcomm disclosed and patched several high-severity chipset vulnerabilities affecting Snapdragon, FastConnect, modem, automotive, and IoT products, including **`CVE-2025-27034`**, **`CVE-2025-21483`**, **`CVE-2025-21427`**, **`CVE-2025-27043`**, and **`CVE-2025-21450`**. The flaws span modem, video, RTP, and GPS/GNSS firmware and include remote code execution, memory corruption, buffer over-read, and man-in-the-middle risks. Reported attack paths include malformed PLMN roaming responses, crafted RTP and video-stream payloads, and unauthenticated interception of GNSS assistance data delivered over HTTP. Several issues require no user interaction and affect low-level firmware, raising the risk of bypassing operating system protections; one Qualcomm modem flaw, `CVE-2025-27034`, was reported as exploited in the wild. Qualcomm addressed the issues through July and September 2025 security updates, with exposure likely to persist where OEM firmware rollout lags. Samsung also issued fixes for multiple **Exynos baseband** vulnerabilities, including **`CVE-2024-55568`**, **`CVE-2025-26781`**, **`CVE-2025-26782`**, and **`CVE-2025-54329`**, affecting smartphones, wearables, and modem products. The bugs include NULL pointer dereference, out-of-bounds operations in RLC AM packet handling, and a heap overflow in the NAS signaling layer that can be triggered by malformed LTE or 5G traffic, Mobility Management packets, or multi-payload NAS messages such as SMS. Successful exploitation can crash or hang the modem, reboot devices, or cut off cellular service, and some flaws may be reachable through rogue base stations or compromised network infrastructure before higher-layer authentication or encryption takes effect. Samsung shipped patches in its October and November 2025 security updates, continuing a pattern of baseband security issues previously highlighted in Exynos modem research.
Jun 12, 2026
Samsung KNOX Use-After-Free Flaw Enabled Kernel Attacks on Galaxy Devices
Researchers at LucidBit Labs disclosed **CVE-2026-20971**, a high-severity use-after-free flaw in Samsung’s **KNOX** framework that left millions of Galaxy devices exposed to potential kernel-level attacks for roughly eight years. The bug affected Galaxy **S9 through S25** models, tested **A-series** devices including the **A54**, and both **Exynos** and **Qualcomm** variants across Android **13, 14, 15, and 16**. Samsung said the issue was fixed in its **January 2026** Android security update, and users were urged to verify a security patch level of **`2026-01-01`** or later. The vulnerability was traced to a race condition between KNOX’s **PROCA** process authenticator and the **FIVE** kernel integrity subsystem, specifically involving `procfs` handlers under `/proc/pid/integrity/` that accessed a `task_integrity` object without a proper reference in a fully preemptive kernel. LucidBit said the flaw could let a local untrusted app trigger kernel memory corruption and identified exploitation primitives including a memory leak that could aid **KASLR** bypass, an arbitrary-call path mitigated by **KCFI**, and a constrained write through spinlock operations on reclaimed memory. Although exploitation required local access and user interaction, researchers warned that a compromised Galaxy device could still enable deeper device takeover and provide a foothold for attacks against enterprise environments.
Jun 24, 2026