CVE-2021-25337

MEDIUM KEV

Samsung mobile <SMR Mar-2021 Release 1 - Info Disclosure

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2021-25337 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 8, 2022. EIP tracks 1 public exploit from researchers including CrisZalSa.

AI-analyzed exploit summary This repository contains functional exploit code for CVE-2021-25337, targeting a use-after-free (UAF) vulnerability in Samsung's DECON driver. The exploit leverages heap spraying via Mali GPU's MEM_PROFILE_ADD ioctl to achieve arbitrary write and bypass addr_limit for privilege escalation.

Description

Improper access control in clipboard service in Samsung mobile devices prior to SMR Mar-2021 Release 1 allows untrusted applications to read or write certain local files.

Exploits (1)

nomisec WORKING POC
by CrisZalSa · poc
https://github.com/CrisZalSa/JustALampNothingElse

This repository contains functional exploit code for CVE-2021-25337, targeting a use-after-free (UAF) vulnerability in Samsung's DECON driver. The exploit leverages heap spraying via Mali GPU's MEM_PROFILE_ADD ioctl to achieve arbitrary write and bypass addr_limit for privilege escalation.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Samsung DECON driver (Android kernel)
No auth needed
Prerequisites: Access to /dev/decon device · Mali GPU driver access · Kernel address leaks (signalfd_ops, addr_limit)
devstral-2 · analyzed Apr 18, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 4.4
EPSS 0.0283
EPSS Percentile 84.8%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact partial

Details

CISA KEV 2022-11-08
VulnCheck KEV 2020-11-03
InTheWild.io 2020-11-03
ENISA EUVD EUVD-2021-12233
CWE
CWE-269
Status published
Products (3)
samsung/android 9.0 smr-apr-2019-r1 (29 CPE variants)
samsung/android 10.0 smr-apr-2020-r1 (16 CPE variants)
samsung/android 11.0 smr-dec-2020-r1 (3 CPE variants)
Published Mar 04, 2021
KEV Added Nov 08, 2022
Tracked Since Feb 18, 2026