CVE-2022-27571

Vulnerability

A heap-based buffer overflow vulnerability exists in the sheifd_get_info_image function of the libsimba library in Samsung devices prior to SMR Apr-2022 Release 1 [1]. The flaw can be triggered when processing specially crafted HEIF image files, leading to memory corruption.

Exploitation

An unauthenticated remote attacker can exploit this vulnerability by delivering a malicious HEIF image to a target device, for example via email, messaging, or web downloads. No user interaction beyond opening or processing the image is required. The attacker does not need prior access or authentication.

Impact

Successful exploitation allows arbitrary code execution in the context of the affected library, potentially enabling the attacker to gain remote code execution (RCE) on the target device. This could lead to full compromise of the device's confidentiality, integrity, and availability.

Mitigation

The vulnerability is fixed in Samsung Mobile Security's SMR Apr-2022 Release 1 update [1]. Users should apply the update as soon as possible. No workaround is available. The CVE is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.