Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-54328

CVE-2025-54328: Samsung Exynos Buffer Overflow Vulnerability

CVE-2025-54328 is a stack-based buffer overflow flaw in Samsung Exynos processors that occurs while parsing SMS RP-DATA messages. This article covers the technical details, affected processor models, and mitigation strategies.

Published:

CVE-2025-54328 Overview

A critical stack-based buffer overflow vulnerability has been identified in the SMS parsing functionality of Samsung Exynos mobile processors, wearable processors, and modems. The vulnerability exists in the code responsible for parsing SMS RP-DATA (Relay Protocol Data) messages, which are fundamental to SMS transmission in cellular networks. When a maliciously crafted SMS RP-DATA message is processed by an affected device, the insufficient bounds checking allows an attacker to overflow the stack buffer, potentially leading to arbitrary code execution at the baseband processor level.

This vulnerability is particularly severe because it can be exploited remotely over the cellular network without requiring any user interaction or authentication. An attacker only needs to know the victim's phone number to send a specially crafted SMS message that triggers the vulnerability.

Critical Impact

Remote code execution at the baseband processor level via malicious SMS messages, requiring no user interaction and potentially affecting millions of Samsung devices including smartphones and wearables.

Affected Products

  • Samsung Exynos Mobile Processors: 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, 2500
  • Samsung Exynos Wearable Processors: 9110, W920, W930, W1000
  • Samsung Exynos Modems: 5123, 5300, 5400

Discovery Timeline

  • April 6, 2026 - CVE-2025-54328 published to NVD
  • April 7, 2026 - Last updated in NVD database

Technical Details for CVE-2025-54328

Vulnerability Analysis

The vulnerability resides in the SMS RP-DATA message parsing routine within the baseband firmware of affected Samsung Exynos processors. SMS RP-DATA messages are part of the Short Message Relay Layer (SM-RL) protocol defined in 3GPP TS 24.011, which handles the reliable transfer of SMS messages between the mobile device and the Short Message Service Center (SMSC).

The baseband processor handles these messages at a very low level, separate from the main application processor running Android or other operating systems. This makes the vulnerability particularly dangerous as exploitation occurs before any operating system-level security controls can intervene. Code execution at the baseband level could allow an attacker to intercept calls and SMS messages, access cellular network credentials, or potentially pivot to compromise the main application processor.

Root Cause

The root cause is CWE-121: Stack-based Buffer Overflow. The SMS RP-DATA parsing function allocates a fixed-size stack buffer for processing incoming message elements but fails to properly validate the length fields within the RP-DATA Information Element (IE) structures before copying data. When an attacker sends an RP-DATA message with oversized length values, the parsing routine writes beyond the allocated stack buffer boundaries, corrupting adjacent stack memory including return addresses and saved registers.

Attack Vector

The attack can be executed remotely over the cellular network by sending a specially crafted SMS message to the target device. The attack characteristics include:

  • Network-based delivery: The malicious SMS can be sent from any device or service capable of sending SMS messages
  • Zero-click exploitation: No user interaction is required; the vulnerability triggers during automatic message processing
  • No authentication required: The attacker only needs the victim's phone number
  • Cross-scope impact: Successful exploitation at the baseband level can affect both the modem subsystem and potentially the main application processor

The exploitation process involves sending an SMS RP-DATA message containing malformed length fields that cause the baseband firmware to write attacker-controlled data past the end of a stack buffer. By carefully constructing the overflow payload, an attacker can overwrite the return address on the stack and redirect execution to shellcode embedded within the SMS payload itself.

Detection Methods for CVE-2025-54328

Indicators of Compromise

  • Unusual baseband processor crashes or device reboots without apparent cause
  • Unexpected SMS message processing errors logged in device diagnostic logs
  • Anomalous network traffic patterns from the cellular modem subsystem
  • Device exhibiting signs of compromise such as unauthorized call forwarding or message interception

Detection Strategies

  • Monitor for devices experiencing repeated baseband processor crashes or unexpected restarts
  • Implement network-level SMS filtering at the carrier level to detect malformed RP-DATA messages with anomalous length fields
  • Deploy mobile device management (MDM) solutions that can monitor device health and detect baseband-level anomalies
  • Review cellular network logs for unusual SMS delivery patterns targeting specific device models

Monitoring Recommendations

  • Enable enhanced logging on affected devices where available to capture baseband processor events
  • Implement carrier-side SMS firewall rules to inspect and filter RP-DATA messages with suspicious characteristics
  • Monitor for security advisories from Samsung regarding firmware updates for affected processors
  • Track device telemetry for patterns indicating exploitation attempts across device fleets

How to Mitigate CVE-2025-54328

Immediate Actions Required

  • Apply Samsung firmware updates as soon as they become available for affected processors
  • Contact device manufacturers for patch availability timelines for specific device models
  • Consider temporarily disabling SMS functionality on high-value targets until patches are deployed
  • Implement carrier-level SMS filtering if available to block malformed messages

Patch Information

Samsung has acknowledged this vulnerability and published security update information. Device owners should check for firmware updates through their device manufacturer's update channels. The baseband firmware updates are typically delivered as part of device system updates.

For detailed patch information, refer to Samsung Product Security Updates and Samsung CVE-2025-54328 Advisory.

Workarounds

  • Enable VoLTE-only mode if supported, as this may reduce exposure to legacy SMS-based attacks
  • Use alternative messaging platforms (Signal, WhatsApp, etc.) instead of SMS where possible
  • For enterprise environments, implement MDM policies to restrict SMS functionality on high-risk devices
  • Work with cellular carriers to enable SMS filtering or firewall capabilities at the network level
  • Consider using eSIM profiles that may allow quicker firmware updates for modem components
bash
# Check device baseband version on Android
adb shell getprop gsm.version.baseband
# Monitor for baseband crashes in device logs
adb logcat -b radio | grep -i "crash\|overflow\|exception"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne