CVE-2015-7890
Description
Buffer overflow in Samsung Exynos Seiren audio driver allows local users to cause memory corruption via large write to /dev/seiren.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Buffer overflow in Samsung Exynos Seiren audio driver allows local users to cause memory corruption via large write to /dev/seiren.
Vulnerability
The esa_write function in the Exynos Seiren Audio driver (accessible via /dev/seiren) contains multiple buffer overflows due to inadequate bounds checking on user-supplied buffer and size parameters. The destination buffer ibuf is fixed-size, and copy_from_user is called without verifying that size does not exceed the buffer capacity. This affects Samsung S6 Edge devices [1]. The driver is accessible by the system user or audio group (e.g., mediaserver) [1].
Exploitation
An attacker with local access (e.g., a privileged shell or as the mediaserver user) can trigger the overflow by writing a large amount of data to /dev/seiren. A simple proof-of-concept using dd if=/dev/zero of=/dev/seiren count=5000000 causes memory corruption [1][2].
Impact
Successful exploitation results in memory corruption, leading to a denial of service (system crash or instability). The corruption may also potentially be leveraged for arbitrary code execution, though the references focus on memory corruption [1][2].
Mitigation
No official patch or fixed version has been released as of the available references. The only mitigation is to restrict access to /dev/seiren by ensuring only trusted users are in the audio group or by disabling the driver if not needed [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Exynos/Seiren Audio driverdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing bounds check on user-supplied size parameter in esa_write allows buffer overflow of a fixed-size global buffer."
Attack vector
A local attacker who is either the system user or a member of the audio group (such as the mediaserver) can open `/dev/seiren` and write a large payload to it. The `esa_write` function passes the user-supplied `buffer` and `size` directly to `copy_from_user` without verifying that `size` does not exceed the fixed size of the destination buffer `rtd->ibuf0`, causing a buffer overflow [ref_id=1]. The proof-of-concept uses `dd if=/dev/zero of=/dev/seiren count=5000000` from a privileged shell to trigger memory corruption [ref_id=1].
Affected code
The vulnerability resides in the `esa_write` function in the Exynos Seiren Audio driver, specifically in the device endpoint `/dev/seiren`. The function copies user-supplied data into a fixed-size static global buffer (`rtd->ibuf0`) using `copy_from_user(ibuf, buffer, size)` without adequate bounds checking on the user-controlled `buffer` or `size` parameters [ref_id=1].
What the fix does
The reference write-up does not include a patch or describe a specific fix. The advisory notes that the root cause is the lack of bounds checking on the user-supplied `buffer` and `size` parameters before copying into the fixed-size `ibuf0` buffer [ref_id=1]. A proper fix would require validating that `size` does not exceed the allocated size of the destination buffer before calling `copy_from_user`.
Preconditions
- authAttacker must be the system user or a member of the audio group (e.g., mediaserver)
- networkAttacker must have local shell access to the device
- inputThe /dev/seiren device must be accessible
Reproduction
From a privileged shell on a Samsung S6 Edge, run: `# dd if=/dev/zero of=/dev/seiren count=5000000` [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- packetstormsecurity.com/files/134106/Samsung-Seiren-Kernel-Driver-Buffer-Overflow.htmlmitrex_refsource_MISC
- code.google.com/p/google-security-research/issues/detailmitrex_refsource_MISC
- www.exploit-db.com/exploits/38556/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.