CVE-2025-62818: Samsung Exynos 990 Buffer Overflow Flaw

CVE-2025-62818 Overview

CVE-2025-62818 is an out-of-bounds write vulnerability affecting a broad range of Samsung Exynos mobile processors, wearable processors, and standalone modems. The flaw resides in the cellular baseband logic that processes SMS Transport Protocol User Data (TP-UD) packets. A mismatch between the TP User Data Header Indicator (TP-UDHI) and the User Data Length (UDL) values allows an attacker to write outside the bounds of an allocated buffer. The defect is categorized under [CWE-787] and is reachable over the cellular network without authentication or user interaction. Affected silicon spans flagship application processors, low-power and wearable SoCs, and dedicated 4G/5G modems shipped in millions of devices.

Critical Impact

An attacker on the cellular network can trigger memory corruption in the baseband by sending a malformed SMS, enabling potential remote code execution or denial of service against the modem.

Affected Products

• Samsung Exynos application processors: 980, 990, 850, 1080, 1280, 1330, 1380, 1480, 1580, 2100, 2200, 2400, 2500
• Samsung Exynos wearable processors: 9110, W920, W930, W1000
• Samsung Exynos standalone modems: 5123, 5300, 5400

Discovery Timeline

• 2026-04-07 - CVE-2025-62818 published to NVD
• 2026-04-13 - Last updated in NVD database

Technical Details for CVE-2025-62818

Vulnerability Analysis

The vulnerability is in the SMS protocol stack implemented in Samsung Exynos baseband firmware. SMS messages contain a Transport Protocol Data Unit (TP-DU) that includes a TP-User-Data-Length (TP-UDL) field and an optional TP-User-Data-Header (TP-UDH) gated by the TP-UDHI flag. The parser uses the declared UDL to size a copy operation, but does not consistently reconcile UDL with the actual user data header length signaled by TP-UDHI. When the two values disagree, the firmware writes past the destination buffer.

Because the corrupted memory belongs to the baseband processor, exploitation gives an attacker influence over the firmware that handles radio communications. Successful memory corruption in the modem can result in baseband code execution, modem crash and reboot, or pivot opportunities into the application processor through shared interfaces.

Root Cause

The root cause is improper input validation of length fields in the SMS TP-UD parser. The implementation trusts the TP-UDL value when copying user data while separately consuming a header length derived from TP-UDHI. No bounds check ensures that header_length + payload_length fits within the receive buffer, producing an out-of-bounds write [CWE-787].

Attack Vector

The attack vector is the cellular network. An adversary with the ability to deliver a crafted SMS to the target, including via a rogue base station, a compromised SMSC, or SS7/Diameter signaling abuse, can reach the vulnerable parser. No user interaction is required because SMS is processed silently by the modem before it reaches the application processor. Exploitation does not require pairing, prior access, or credentials.

No public proof-of-concept or exploit code is available for CVE-2025-62818 at the time of publication. Technical details should be consulted in the Samsung CVE-2025-62818 Details advisory.

Detection Methods for CVE-2025-62818

Indicators of Compromise

• Unexpected modem resets, radio interface restarts, or repeated RIL/cbd crashes in device logs without an attributable cause.
• Receipt of malformed concatenated SMS messages where the User Data Header length is inconsistent with the declared UDL.
• Anomalous SMS traffic from unfamiliar originators that immediately precedes baseband instability.

Detection Strategies

• Inspect SMS-DELIVER PDUs at carrier or enterprise SMS gateways and flag messages whose TP-UDHI-derived header length plus payload exceeds the TP-UDL field.
• Monitor mobile device management (MDM) telemetry for sudden spikes in modem reboots or loss-of-service events across a fleet running Exynos hardware.
• Correlate signaling logs (SS7/Diameter) to identify silent or binary SMS bursts targeting Exynos-equipped device populations.

Monitoring Recommendations

• Track Samsung Semiconductor security bulletins for firmware revisions covering each affected Exynos and modem SKU.
• Enable crash and kernel log collection from managed mobile endpoints to surface baseband faults that may indicate exploitation attempts.
• Maintain an asset inventory mapping device models to their underlying Exynos chipset to scope exposure and patch rollout.

How to Mitigate CVE-2025-62818

Immediate Actions Required

• Apply the firmware updates published by Samsung and the device OEM as soon as they are available for each affected Exynos SoC or modem.
• Identify and prioritize patching for high-value users whose devices use Exynos basebands, including executives and administrators.
• Coordinate with mobile carriers to enable network-side filtering of malformed SMS PDUs targeting Exynos device populations.

Patch Information

Samsung addresses Exynos baseband vulnerabilities through periodic security maintenance releases delivered to OEMs and integrated into device firmware updates. Refer to the Samsung Semiconductor Product Security Updates portal and the CVE-2025-62818 advisory for SKU-specific fix availability. End-user devices receive the fix via the OEM's monthly security patch.

Workarounds

• Disable or restrict the receipt of binary and class-0 SMS where the use case allows, reducing exposure to crafted PDUs that trigger the parser.
• Where supported, switch primary messaging to RCS or an over-the-top encrypted messenger and route business-critical SMS through a filtering gateway.
• For high-risk users, consider temporary use of devices that do not rely on the affected Exynos baseband until the firmware update is installed.

# Example: list installed baseband and patch level on an Android device
adb shell getprop gsm.version.baseband
adb shell getprop ro.build.version.security_patch