Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2024-39890

CVE-2024-39890: Samsung Exynos Modem Buffer Overflow Flaw

CVE-2024-39890 is a buffer overflow vulnerability in Samsung Exynos Modem 5123 Firmware caused by improper length validation in Call Control. This article covers the technical details, affected versions, and mitigation.

Published:

CVE-2024-39890 Overview

CVE-2024-39890 is an out-of-bounds write vulnerability [CWE-787] affecting Samsung Exynos Mobile Processors, Wearable Processors, and standalone Modems. The baseband software fails to properly validate the length field specified by the Call Control (CC) protocol element. An attacker who can deliver crafted CC messages over the cellular network can trigger a memory write past the bounds of the destination buffer in baseband memory. The flaw affects a broad range of chipsets shipped in flagship smartphones, smartwatches, and standalone modems, including Exynos 9820, 990, 2100, 2200, 2400, W920, W1000, Modem 5123, and Modem 5300.

Critical Impact

A successful exploit can corrupt baseband memory, enabling code execution at the modem level and compromise of confidentiality, integrity, and availability of cellular communications.

Affected Products

  • Samsung Exynos Mobile Processors: 9820, 9825, 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400
  • Samsung Exynos Wearable Processors: 9110, W920, W930, W1000
  • Samsung Exynos Modems: 5123, 5300

Discovery Timeline

  • 2024-12-02 - CVE-2024-39890 published to the National Vulnerability Database (NVD)
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2024-39890

Vulnerability Analysis

The vulnerability resides in the Call Control (CC) message handler within Samsung Exynos baseband firmware. CC is a 3GPP NAS-layer sublayer responsible for establishing, maintaining, and releasing circuit-switched calls. CC information elements carry a length octet describing the size of the following payload. The affected baseband software trusts this attacker-controlled length field instead of validating it against the actual buffer capacity. When the length exceeds the destination buffer size, the parser writes attacker-supplied bytes beyond the buffer boundary.

The attack vector is the cellular air interface, which scores as Network in CVSS. Attack Complexity is High because exploitation generally requires a rogue base station or a man-in-the-middle position over the radio link. No user interaction or authentication is required, and the impact spans confidentiality, integrity, and availability of the modem.

Root Cause

The root cause is missing bounds validation of the length specifier in a CC information element before a memory copy operation. The baseband firmware treats the length octet as authoritative without confirming the destination buffer can accommodate the payload, producing an out-of-bounds write classified under [CWE-787].

Attack Vector

An attacker operates a malicious or hijacked cellular base station within radio range of a victim device. The attacker delivers a malformed CC NAS message containing an oversized length value. When the modem parses the message, the out-of-bounds write corrupts adjacent baseband memory structures. Depending on the corrupted target, the attacker can crash the baseband or pivot to code execution within the modem, which sits below the Android application processor and has privileged access to radio and telephony stacks.

// No verified public proof-of-concept exists for CVE-2024-39890.
// See the Samsung Semiconductor security advisory for technical details.

Detection Methods for CVE-2024-39890

Indicators of Compromise

  • Unexpected modem resets, baseband panics, or RIL (Radio Interface Layer) crashes recorded in device logs
  • Devices repeatedly attaching to base stations broadcasting unusual or low-quality cell identifiers
  • Anomalous NAS-layer signaling activity captured by enterprise mobile threat defense agents

Detection Strategies

  • Correlate Android logcat modem subsystem entries with cellular network telemetry to identify repeated CC parsing failures
  • Use mobile device management (MDM) attestation to flag devices running unpatched Exynos firmware builds
  • Deploy IMSI-catcher and rogue base station identification tooling in sensitive physical locations

Monitoring Recommendations

  • Track firmware patch level on managed Samsung devices and alert on devices running pre-fix Exynos builds
  • Monitor for unexplained reductions in cellular signaling quality or forced 2G/3G downgrades that may facilitate rogue base station attacks
  • Aggregate baseband crash telemetry and treat clustered modem panics as a high-priority investigation trigger

How to Mitigate CVE-2024-39890

Immediate Actions Required

  • Apply the latest Samsung security maintenance release that includes the Exynos baseband fix to all affected handsets, wearables, and modems
  • Inventory devices using affected Exynos chipsets and prioritize executive, journalist, and high-risk user fleets for first-wave patching
  • Where feasible, disable 2G fallback and enforce LTE/5G-only modes to reduce exposure to rogue base stations

Patch Information

Samsung addresses the issue through firmware updates distributed via device OEM security maintenance releases. Refer to the Samsung Product Security Updates portal for the authoritative list of fixed firmware versions across the Exynos 9820, 990, 2100, 2200, 2400, W920, W1000, Modem 5123, Modem 5300, and other listed parts.

Workarounds

  • Restrict device usage in untrusted radio environments until firmware updates are installed
  • Enable airplane mode in physically untrusted locations to disable the cellular modem and eliminate the radio attack surface
  • Issue MDM policies that quarantine or limit network access for devices that have not received the patched firmware build
bash
# Verify current Android baseband (radio) firmware version on a managed device
adb shell getprop gsm.version.baseband

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne