CVE-2023-26496

Vulnerability

A memory corruption vulnerability exists in the Samsung Baseband Modem Chipset for Exynos Modem 5123, Exynos Modem 5300, Exynos 980, Exynos 1080, and Exynos Auto T5124. The issue occurs in the Session Description Protocol (SDP) module when parsing the fmtp attribute. The modem fails to properly check the length of the parameter, leading to a buffer overflow or similar memory corruption. Affected versions include all firmware variants for the listed chipsets prior to the security update referenced in [1].

Exploitation

An attacker can exploit this vulnerability by sending a specially crafted SDP message to the target device's modem. The attacker does not require authentication but must be able to deliver the malicious SDP data over the air (e.g., via a malicious base station or a crafted SIP/VoLTE call). No user interaction is needed beyond the device receiving the crafted message. The improper length check allows the attacker to overwrite adjacent memory regions.

Impact

Successful exploitation results in memory corruption within the modem firmware. This can lead to denial of service (modem crash or reboot) or potentially arbitrary code execution at the modem privilege level. The compromise could allow an attacker to intercept or manipulate cellular communications, or use the modem as a pivot point for further attacks on the application processor.

Mitigation

Samsung has acknowledged the issue and provides product security updates through its support portal [1]. As of the publication date (2023-03-23), specific fixed firmware versions have not been publicly detailed. Users should apply the latest modem firmware updates from their device manufacturer or carrier. No workaround is available for unpatched devices.