CVE-2024-20813

Vulnerability

An out-of-bounds write vulnerability exists in the padmd_vld_qtbl function of libpadm.so on Samsung mobile devices. This issue affects all versions prior to the SMR Feb-2024 Release 1 security update. The flaw occurs when processing crafted input, leading to a write beyond the allocated buffer boundaries.

Exploitation

Exploitation requires local access to the device. An attacker must be able to execute code on the device, such as through a malicious application or by leveraging another vulnerability to gain local code execution. No user interaction is needed beyond installing the malicious app. The attacker can trigger the out-of-bounds write by providing specially crafted data to the vulnerable function.

Impact

Successful exploitation allows a local attacker to execute arbitrary code in the context of the affected process. This can lead to full compromise of the device, including unauthorized access to sensitive data, modification of system settings, or installation of persistent malware.

Mitigation

Samsung has addressed this vulnerability in the SMR Feb-2024 Release 1 security update, which was published on February 6, 2024 [1]. Users should apply the update as soon as possible. No workarounds are available for unpatched devices.