CVE-2023-26074
Description
An issue was discovered in Samsung Mobile Chipset and Baseband Modem Chipset for Exynos 850, Exynos 980, Exynos 1080, Exynos 1280, Exynos 2200, Exynos Modem 5123, Exynos Modem 5300, and Exynos Auto T5123.. A heap-based buffer overflow in the 5G MM message codec can occur due to insufficient parameter validation when decoding operator-defined access category definitions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Heap buffer overflow in Samsung Exynos 5G MM codec allows baseband compromise via malicious network operator or local access.
Vulnerability
A heap-based buffer overflow vulnerability exists in the 5G Mobility Management (MM) message codec of Samsung Exynos chipsets, including Exynos 850, Exynos 980, Exynos 1080, Exynos 1280, Exynos 2200, Exynos Modem 5123, Exynos Modem 5300, and Exynos Auto T5123. The flaw arises from insufficient parameter validation when decoding operator-defined access category definitions, allowing a crafted 5G MM message to trigger a heap overflow.
Exploitation
Exploitation requires either a malicious mobile network operator (MNO) or an attacker with local access to the device [4]. An attacker in control of a rogue base station can send a specially crafted 5G MM message containing malformed operator-defined access category definitions. No user interaction is needed when the attack originates from the network. With local access, the attacker can inject the malicious message via a compromised application or debug interface.
Impact
Successful exploitation results in a heap-based buffer overflow in the baseband processor, enabling arbitrary code execution at the baseband level. This grants the attacker full control over the modem, potentially allowing interception of cellular communications, manipulation of network traffic, or further compromise of the device's application processor.
Mitigation
Samsung Semiconductor has not published a specific fix for CVE-2023-26074 as of the initial disclosure. Affected device manufacturers (Samsung, Google Pixel, Vivo, and others) are expected to provide patches in their respective security updates [4]. Users should apply vendor updates as soon as they become available. No workaround exists; disabling 5G may reduce exposure but does not eliminate the risk from malicious MNOs.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
4- Samsung/Mobile Chipset and Baseband Modem Chipset for Exynosdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- packetstormsecurity.com/files/171383/Shannon-Baseband-NrmmMsgCodec-Access-Category-Definitions-Heap-Buffer-Overflow.htmlmitre
- bugs.chromium.org/p/project-zero/issues/detailmitre
- googleprojectzero.blogspot.com/2023/03/multiple-internet-to-baseband-remote-rce.htmlmitre
- semiconductor.samsung.com/processor/mobile-processor/mitre
- semiconductor.samsung.com/processor/modem/mitre
- semiconductor.samsung.com/support/quality-support/product-security-updates/mitre
News mentions
0No linked articles in our index yet.