CVE-2024-27387 in Exynos 980info

Summary

by MITRE • 09/09/2024

An issue was discovered in Samsung Mobile Processor Exynos 980, Exynos 850, Exynos 1280, Exynos 1380, and Exynos 1330. In the function slsi_rx_range_done_ind(), there is no input validation check on rtt_id coming from userspace, which can lead to a heap overwrite.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 06/13/2025

The vulnerability identified as CVE-2024-27387 affects multiple Samsung Exynos mobile processors including the Exynos 980, 850, 1280, 1380, and 1330 chipsets. This issue resides within the wireless communication subsystem of these processors, specifically within the function slsi_rx_range_done_ind() which handles range measurement done indications. The flaw represents a critical input validation weakness that can be exploited through improper user space input handling, creating a potential pathway for heap memory corruption.

The technical root cause stems from the absence of proper validation checks on the rtt_id parameter that originates from userspace applications. This parameter is intended to identify ranging measurement sessions but lacks adequate bounds checking or sanitization before being processed within kernel space. When malicious or malformed input is passed through this parameter, it can overwrite adjacent heap memory regions, potentially leading to arbitrary code execution or system instability. This type of vulnerability falls under the CWE-129 category of Improper Input Validation, specifically manifesting as an unchecked array index that can result in heap-based buffer overflows.

The operational impact of this vulnerability is significant for devices utilizing affected Exynos processors, as it creates a potential attack surface for privilege escalation and system compromise. An attacker with local access or the ability to execute code in userspace could leverage this flaw to overwrite critical heap memory structures, potentially leading to denial of service conditions or more severe exploitation outcomes. The vulnerability affects devices where wireless communication capabilities are present, particularly those implementing the Samsung Location Services or similar wireless positioning features that utilize the slsi_rx_range_done_ind() function. This aligns with ATT&CK technique T1068 which covers Exploitation for Privilege Escalation, and T1059 which covers Command and Scripting Interpreter, as the vulnerability could enable an attacker to execute malicious code with elevated privileges.

Mitigation strategies for this vulnerability should focus on implementing proper input validation within the affected function, including bounds checking and parameter sanitization before processing the rtt_id value. System administrators and device manufacturers should prioritize applying firmware updates and patches that address this specific validation gap. Additionally, runtime protections such as heap canaries, stack canaries, and address space layout randomization should be enabled to reduce exploitability. The vulnerability demonstrates the importance of robust input validation in kernel space components, particularly when dealing with user-supplied data that flows into critical system functions. Organizations should also consider implementing network segmentation and monitoring to detect anomalous behavior that might indicate exploitation attempts, as this type of heap corruption vulnerability often manifests through unusual memory access patterns or system crashes.

Responsible

MITRE

Reservation

02/25/2024

Disclosure

09/09/2024

Moderation

accepted

CPE

ready

EPSS

0.00169

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!