好的,我现在要帮用户总结一下这篇文章的内容。用户的要求是用中文,控制在100个字以内,而且不需要以“文章内容总结”这样的开头,直接写描述即可。 首先,我需要仔细阅读这篇文章。文章标题是“Advisory”,日期是2025年6月1日,作者是Billy Jheng Bing-Jhong等。文章主要讨论的是三星Galaxy S24+手机中的一个安全漏洞,具体来说是Exynos NPU驱动中的一个Use-after-free漏洞。 接下来,我注意到这个漏洞的CVE编号是CVE-2025-23098,CVSS3.1评分为7.8,属于高危级别。攻击者可以在本地利用这个漏洞进行权限提升。受影响的版本包括多个Exynos处理器型号。 技术细节部分提到,在__prepare_IMB_info函数中,IMB_mem_buf被分配并赋值给session->IMB_mem_buf。如果session->IMB_size过大,会进入错误处理流程p_err,在这里IMB_mem_buf会被释放并置空。然而,session->IMB_mem_buf并没有置空,导致后续可能再次释放同一个内存块,从而引发Use-after-free漏洞。 最后,文章还提到了漏洞的发现者和时间线:2024年12月8日报告给三星,2025年6月1日发布CVE编号和补丁。 现在我要把这些信息浓缩到100字以内。需要涵盖的主要点包括:三星Galaxy S24+及Exynos处理器中的NPU驱动存在Use-after-free漏洞;该漏洞可能导致本地权限提升;CVSS评分高危;已发布补丁。 确保语言简洁明了,不使用复杂的术语。同时避免任何不必要的细节,只保留最关键的信息。 总结下来应该是:三星Galaxy S24+及其Exynos处理器的NPU驱动存在Use-after-free漏洞(CVE-2025-23098),可能导致本地权限提升。CVSS评分7.8(高危),已发布补丁修复。 </think> 三星Galaxy S24+及其Exynos处理器的NPU驱动存在Use-after-free漏洞(CVE-2025-23098),可能导致本地权限提升。CVSS评分7.8(高危),已发布补丁修复。 2025-6-1 00:0:0 Author: starlabs.sg(查看原文) 阅读量:4 收藏
Advisory June 1, 2025 By Billy Jheng Bing-Jhong, Muhammad Alifa Ramdhan, Pan Zhenpeng, Ng Zhi Yang 2 min read
CVE: CVE-2025-23098
Affected Versions: Samsung Galaxy S24+ (samsung/e2sxxx/e2s:14/UP1A.231005.007/S926BXXS3AXGD:user/release-keys); Samsung Exynos 980, 990, 1080, 2100, 1280, 2200, 1380
CVSS3.1: 7.8 (High) — CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
| Product | Samsung Exynos NPU Driver |
|---|---|
| Vendor | Samsung |
| Severity | High — a local attacker within untrusted_app SELinux context may exploit this to achieve local privilege escalation |
| Affected Versions | Samsung Galaxy S24+ (Android 14); Exynos 980, 990, 1080, 2100, 1280, 2200, 1380 |
| Tested Versions | Samsung Galaxy S24+ (S926BXXS3AXGD) |
| CVE Identifier | CVE-2025-23098 |
| CVE Description | A use-after-free in the Samsung Exynos mobile processor NPU driver leads to privilege escalation |
| CWE Classification(s) | CWE-416: Use After Free |
CVSS3.1 Scoring System
Base Score: 7.8 (High)
Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
| Metric | Value |
|---|---|
| Attack Vector (AV) | Local |
| Attack Complexity (AC) | Low |
| Privileges Required (PR) | Low |
| User Interaction (UI) | None |
| Scope (S) | Unchanged |
| Confidentiality (C) | High |
| Integrity (I) | High |
| Availability (A) | High |
Product Background
The Samsung Galaxy S24+ features a Neural Processing Unit (NPU) integrated into either the Snapdragon 8 Gen 3 or Exynos 2400 chipset depending on the market. The NPU accelerates on-device AI workloads including camera processing, real-time translation, and generative photo editing. The NPU kernel driver is a privileged component that manages session state, memory allocation, and inference buffer management on behalf of userspace applications.
Technical Details
In __prepare_IMB_info, it will assign IMB_mem_buf to session->IMB_mem_buf. If session->IMB_size is quite big, it will goto p_err free the IMB_mem_buf but do not clean the pointer in session.
But it only set IMB_mem_buf pointer to NULL, but do not set session->IMB_mem_buf to NULL.
int __config_session_info(struct npu_session *session)
{
IMB_mem_buf = kcalloc(1, sizeof(struct npu_memory_buffer), GFP_KERNEL);
...
ret = __prepare_IMB_info(session, &IMB_av, IMB_mem_buf);
...
}
int __prepare_IMB_info(struct npu_session *session, struct addr_info **IMB_av, struct npu_memory_buffer *IMB_mem_buf)
{
...
session->IMB_mem_buf = IMB_mem_buf;
if (session->IMB_size > (NPU_IMB_CHUNK_SIZE * NPU_IMB_CHUNK_MAX_NUM)) {
...
goto p_err;
}
p_err:
if (likely(IMB_mem_buf)) {
kfree(IMB_mem_buf); // [1]
IMB_mem_buf = NULL;
Then it will be freed again at __release_imb_mem_buf:
static inline void __release_imb_mem_buf(struct npu_session *session)
{
struct npu_memory_buffer *ion_mem_buf = session->IMB_mem_buf;
if (likely(ion_mem_buf)) {
...
session->IMB_mem_buf = NULL;
kfree(ion_mem_buf);
}
}
Credit
Billy Jheng Bing-Jhong, Muhammad Alifa Ramdhan, Pan Zhenpeng and Ng Zhi Yang of STAR Labs SG Pte. Ltd.
Timeline
- 2024-12-08 — Reported to Samsung
- 2025-06-01 — CVE-2025-23098 assigned and published; patch released via Samsung Product Security Update
如有侵权请联系:admin#unsafe.sh