Introduction
Loss of cellular connectivity on a smartphone or wearable can disrupt emergency calls, business operations, and critical communications. Samsung’s October 2025 security update addresses a denial of service vulnerability in the Exynos chipset family that could be triggered remotely over the cellular network, affecting millions of devices worldwide.
Samsung is a dominant player in the global semiconductor and mobile device market, with its Exynos processors powering a wide range of Galaxy smartphones, tablets, wearables, and standalone modems. The Exynos line is deployed in flagship and mid-range devices across Europe, Asia, and other regions, making vulnerabilities in this platform highly impactful for both consumers and enterprises.
Technical Information
CVE-2025-26781 arises from incorrect handling of Radio Link Control (RLC) Acknowledged Mode (AM) Protocol Data Units (PDUs) within the L2 layer of Samsung Exynos mobile, wearable, and modem chipsets. The RLC AM protocol is responsible for reliable data transfer over cellular networks, providing segmentation, reassembly, and error correction through ARQ mechanisms. In this implementation, the vulnerability is classified under CWE-20 (Improper Input Validation) and CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer).
The root cause is a failure to properly validate and bound-check incoming RLC AM PDUs. When a malformed or specially crafted PDU is received over the cellular network, the Exynos baseband processor may perform out-of-bounds memory operations or enter an invalid state. This can result in a denial of service condition, manifesting as a loss of cellular connectivity, modem crash, or device reboot. The flaw is present in the L2 protocol stack, which processes network data before higher-level operating system protections can intervene. Attackers do not need physical access to the device, and exploitation can potentially be performed remotely over the air.
No public code snippets or exploit code are available for this vulnerability. The issue was discovered and responsibly disclosed by Hoang Dinh Tuan of SysSec Lab KAIST.
Affected Systems and Versions
The following Samsung Exynos chipsets are affected by CVE-2025-26781:
- Exynos 9820
- Exynos 9825
- Exynos 980
- Exynos 990
- Exynos 850
- Exynos 1080
- Exynos 2100
- Exynos 1280
- Exynos 2200
- Exynos 1330
- Exynos 1380
- Exynos 1480
- Exynos 9110
- Exynos W920 (wearable)
- Exynos W930 (wearable)
- Exynos Modem 5123
- Exynos Modem 5300
All device models and firmware versions using these chipsets prior to the October 2025 security update are considered vulnerable. The vulnerability affects both smartphones and wearables, as well as standalone modems that use these Exynos components.
Vendor Security History
Samsung has a documented history of vulnerabilities in its Exynos baseband and protocol stack implementations. Recent years have seen several disclosures of remote code execution and denial of service flaws in Exynos modem firmware. Samsung typically issues timely patches for supported devices, but update availability for older or region-specific models may lag. The company maintains a dedicated security advisory portal and has published detailed guidance for CVE-2025-26781 and related issues.
References
- Samsung CVE-2025-26781 Advisory
- Samsung Product Security Updates Portal
- NVD Entry for CVE-2025-26781
- iBeta: Samsung’s October 2025 Security Patch
- HKCERT: Samsung Products Multiple Vulnerabilities
- 5G NR RLC AM Mode Data Transmission
- ShareTechnote: 5G RLC
- TASZK Labs: There Will Be Bugs
- TASZK Labs: Baseband
- SysSec Lab KAIST Members
- KAIST News: SysSec Lab Research
