CVE-2023-26073
Description
An issue was discovered in Samsung Mobile Chipset and Baseband Modem Chipset for Exynos 850, Exynos 980, Exynos 1080, Exynos 1280, Exynos 2200, Exynos Modem 5123, Exynos Modem 5300, and Exynos Auto T5123. A heap-based buffer overflow in the 5G MM message codec can occur due to insufficient parameter validation when decoding the extended emergency number list.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Heap buffer overflow in Samsung Exynos 5G MM codec when decoding extended emergency number list, enabling denial of service or potential code execution with network operator or local access.
Vulnerability
A heap-based buffer overflow exists in the 5G Mobility Management (MM) message codec of Samsung Exynos chipsets, including Exynos 850, Exynos 980, Exynos 1080, Exynos 1280, Exynos 2200, Exynos Modem 5123, Exynos Modem 5300, and Exynos Auto T5123 [1]. The vulnerability occurs when decoding the extended emergency number list within a NAS message; insufficient parameter validation allows a crafted list to overflow a heap buffer [4].
Exploitation
An attacker must either be a malicious mobile network operator (MNO) or have local access to the device [4]. The attacker sends a specially crafted NAS message containing an oversized or malformed extended emergency number list. No user interaction is required beyond the device receiving the message over the cellular network or via local injection.
Impact
Successful exploitation causes a heap buffer overflow, leading to memory corruption. This can result in denial of service (baseband crash) or potentially arbitrary code execution at the baseband level [4]. However, the attack surface is limited to scenarios where the attacker controls the network or has local access, reducing the severity compared to the Internet-to-baseband RCE vulnerabilities also disclosed in the same research.
Mitigation
Samsung has released security updates for affected chipsets; device manufacturers are responsible for distributing patches to end users [1]. For example, Google Pixel devices received fixes in the March 2023 security update [4]. Users should apply the latest firmware updates from their device vendor. No workaround is available.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Samsung/Mobile Chipset and Baseband Modem Chipset for Exynosdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- packetstormsecurity.com/files/171380/Shannon-Baseband-NrmmMsgCodec-Extended-Emergency-Number-List-Heap-Buffer-Overflow.htmlmitre
- bugs.chromium.org/p/project-zero/issues/detailmitre
- googleprojectzero.blogspot.com/2023/03/multiple-internet-to-baseband-remote-rce.htmlmitre
- semiconductor.samsung.com/processor/mobile-processor/mitre
- semiconductor.samsung.com/processor/modem/mitre
- semiconductor.samsung.com/support/quality-support/product-security-updates/mitre
News mentions
0No linked articles in our index yet.