Qualcomm and Samsung patched critical baseband and firmware flaws in mobile chipsets
Qualcomm disclosed and patched several high-severity chipset vulnerabilities affecting Snapdragon, FastConnect, modem, automotive, and IoT products, including CVE-2025-27034, CVE-2025-21483, CVE-2025-21427, CVE-2025-27043, and CVE-2025-21450. The flaws span modem, video, RTP, and GPS/GNSS firmware and include remote code execution, memory corruption, buffer over-read, and man-in-the-middle risks. Reported attack paths include malformed PLMN roaming responses, crafted RTP and video-stream payloads, and unauthenticated interception of GNSS assistance data delivered over HTTP. Several issues require no user interaction and affect low-level firmware, raising the risk of bypassing operating system protections; one Qualcomm modem flaw, CVE-2025-27034, was reported as exploited in the wild. Qualcomm addressed the issues through July and September 2025 security updates, with exposure likely to persist where OEM firmware rollout lags.
Samsung also issued fixes for multiple Exynos baseband vulnerabilities, including CVE-2024-55568, CVE-2025-26781, CVE-2025-26782, and CVE-2025-54329, affecting smartphones, wearables, and modem products. The bugs include NULL pointer dereference, out-of-bounds operations in RLC AM packet handling, and a heap overflow in the NAS signaling layer that can be triggered by malformed LTE or 5G traffic, Mobility Management packets, or multi-payload NAS messages such as SMS. Successful exploitation can crash or hang the modem, reboot devices, or cut off cellular service, and some flaws may be reachable through rogue base stations or compromised network infrastructure before higher-layer authentication or encryption takes effect. Samsung shipped patches in its October and November 2025 security updates, continuing a pattern of baseband security issues previously highlighted in Exynos modem research.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
Samsung addresses Exynos CVE-2025-54329 in November 2025 update
Samsung fixed CVE-2025-54329 in its November 2025 security update by adding stricter payload-size validation in the Exynos NAS component. The heap-based buffer overflow could be triggered by malformed NAS messages containing multiple payloads, including SMS.
Samsung patches Exynos CVE-2024-55568 before October 2025 publication
Samsung had patched CVE-2024-55568, a NULL pointer dereference in Exynos baseband firmware that could crash or hang the baseband processor when handling malformed Mobility Management packets. The affected firmware versions were those released before Samsung's patch.
Samsung issues October 2025 update for Exynos CVE-2025-26782
Samsung's October 2025 security update addressed CVE-2025-26782, a critical denial-of-service vulnerability in Exynos Layer 2 RLC Acknowledged Mode processing. The flaw was discovered and analyzed by KAIST SysSec Lab researchers using the LLFuzz framework.
Samsung fixes Exynos CVE-2025-26781 in October 2025 security update
Samsung's October 2025 security update fixed CVE-2025-26781, a remotely triggerable denial-of-service flaw in Exynos RLC Acknowledged Mode PDU handling. The issue was discovered and responsibly disclosed by Hoang Dinh Tuan of SysSec Lab KAIST.
Qualcomm vulnerability CVE-2025-27034 reported as exploited in the wild
Reporting on CVE-2025-27034 stated that the Qualcomm Multi-Mode Call Processor flaw was being exploited in the wild. The bug could allow remote code execution without user interaction on affected Snapdragon-powered devices.
Qualcomm and Android address CVE-2025-21483 and CVE-2025-27034 in September 2025
The September 2025 Android and Qualcomm security updates remediated CVE-2025-21483, a Snapdragon RTP NALU reassembly memory corruption flaw, and CVE-2025-27034, a Multi-Mode Call Processor memory corruption vulnerability. For CVE-2025-27034, protection was available at Android security patch level 2025-09-05 or later, with fixes integrated into AOSP 15 and 16.
Qualcomm issues July 2025 fixes for CVE-2025-21427, CVE-2025-21450, and CVE-2025-27043
Qualcomm addressed multiple chipset vulnerabilities in its July 2025 security updates, including the RTP buffer over-read CVE-2025-21427, the GNSS assistance data flaw CVE-2025-21450, and the video firmware memory corruption issue CVE-2025-27043. Devices running firmware prior to the July 2025 update remained vulnerable until OEM patches were deployed.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
11 references tracked. Mallory keeps watching after this page renders.
Samsung Exynos NAS Heap Overflow (CVE-2025-54329): Brief Summary and Patch Details - ZeroPath Blog | ZeroPath
zeropath.com
Open sourceSamsung Exynos Baseband NULL Pointer Dereference (CVE-2024-55568): Brief Summary and Technical Review - ZeroPath Blog | ZeroPath
zeropath.com
Open sourceSamsung Exynos RLC AM Denial of Service (CVE-2025-26782): Brief Summary and Technical Review - ZeroPath Blog | ZeroPath
zeropath.com
Open sourceSamsung Exynos RLC AM PDU Handling: Brief Summary of CVE-2025-26781 Denial of Service Vulnerability - ZeroPath Blog | ZeroPath
zeropath.com
Open sourceNavigating Danger: Qualcomm GPS Vulnerability CVE-2025-21450 Exposes Devices to Critical MitM Attacks - ZeroPath Blog | ZeroPath
zeropath.com
Open sourceQualcomm Video Firmware Flaw CVE-2025-27043: Memory Corruption Risk Explained - ZeroPath Blog | ZeroPath
zeropath.com
Open sourceSecurity Bulletins | Qualcomm Documentation
docs.qualcomm.com
Open sourceSecurity Bulletins | Qualcomm Documentation
docs.qualcomm.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Samsung patches three Exynos NPU driver flaws enabling Android privilege escalation
Samsung has patched three high-severity vulnerabilities in the Exynos NPU driver—`CVE-2025-23099`, `CVE-2025-23103`, and `CVE-2025-23107`—that could allow local privilege escalation on affected Galaxy devices. The flaws impact Samsung Galaxy S24+ devices running Android 14 and systems based on Exynos 1480 and 2400 platforms, and each issue is reachable by a malicious application running in the `untrusted_app` SELinux context with low privileges and no user interaction. Samsung assigned a CVSS v3.1 score of 7.8 to the bugs and released fixes through Product Security Updates in early June. The vulnerabilities stem from missing length checks in multiple NPU driver paths, leading to out-of-bounds writes in kernel memory. `CVE-2025-23099` involves queue preparation logic that can reuse smaller prior allocations while trusting larger attacker-controlled counts, `CVE-2025-23103` arises from an unbounded loop counter in `npu_queue_update` that can exceed the allocated `queue_list` size, and `CVE-2025-23107` affects `fill_vs4l_buffer`, which writes kernel-side buffer metadata into an undersized user-supplied structure. STAR Labs SG credited Billy Jheng Bing-Jhong, Muhammad Alifa Ramdhan, and Pan Zhenpeng with reporting the issues.
May 24, 2026
Samsung Galaxy flaws exposed remote image RCE and SystemUI privilege escalation
Samsung disclosed multiple vulnerabilities affecting Galaxy devices, including **remote code execution** flaws in the proprietary Quram image codec and a separate **improper access control** bug in the Routines automation feature. **CVE-2025-21042** and **CVE-2025-21043** are out-of-bounds write issues in `libimagecodec.quram.so` that can be triggered by specially crafted images delivered through MMS, email attachments, messaging apps, or web content, potentially with little or no user interaction. Samsung said **CVE-2025-21042** was fixed in the **April 2025 Security Maintenance Release**, while **CVE-2025-21043** was addressed in the **September 2025 SMR**. The disclosures revive longstanding concerns around Samsung’s proprietary image parsing stack, which Google Project Zero previously showed could be exploited through malformed Qmage images in a **zero-click MMS** chain that achieved code execution on a Galaxy Note 10+. Samsung also patched **CVE-2025-21058**, which allowed a local attacker on Android 15 and 16 devices to execute arbitrary code with **SystemUI privileges** via Galaxy Routines before versions **4.8.7.1** and **4.9.6.0**. Separately, Google fixed Android framework flaw **CVE-2025-32322** in the September 2025 Android Security Bulletin after it was found to let a malicious app bypass the MediaProjection consent dialog and silently capture screen content on Android 13 and 14.
Jun 12, 2026
MediaTek Modem Flaws Enable Privilege Escalation via Rogue Base Stations
MediaTek disclosed two high-severity modem vulnerabilities, **CVE-2026-20432** and **CVE-2026-20433**, that stem from out-of-bounds writes caused by missing bounds checks in affected modem components. The flaws can allow **remote privilege escalation** when a user equipment device connects to a **rogue base station** controlled by an attacker, potentially exposing confidentiality, integrity, and availability to high impact. Both issues are classified as `CWE-787` and carry severe CVSS v3.1 ratings, with vectors `AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H` for CVE-2026-20432 and `AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` for CVE-2026-20433. The vulnerabilities were published through MediaTek’s April 2026 product security bulletin and tracked internally as **MSV-4461** and **MSV-4460**. MediaTek linked the issues to patch identifiers **MOLY01406170** for CVE-2026-20432 and **MOLY01088681** for CVE-2026-20433, indicating that remediation is available for impacted products. Organizations using Huawei devices or other equipment built on affected MediaTek modem components should prioritize vendor patch validation and assess exposure to baseband-level attacks involving malicious cellular infrastructure.
May 24, 2026