Login Sign Up

CVE-2021-25387

9.0 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability allows attackers to execute arbitrary code on the mediaextractor process in Samsung devices through improper input validation in the libsflacextractor library. It affects Samsung mobile devices running Android with the vulnerable library prior to the May 2021 security update. Successful exploitation could lead to complete device compromise.

💻 Affected Systems

Products:
  • Samsung mobile devices
Versions: Android versions with libsflacextractor library prior to SMR MAY-2021 Release 1
Operating Systems: Android
Default Config Vulnerable: ⚠️ Yes
Notes: Specifically affects the mediaextractor process which handles media file parsing.

📦 What is this software?

Android by Google

View all CVEs affecting Android →

Android by Google

View all CVEs affecting Android →

Android by Google

View all CVEs affecting Android →

Android by Google

View all CVEs affecting Android →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device takeover with root/system privileges, allowing data theft, persistent backdoor installation, and device bricking.

🟠

Likely Case

Remote code execution with mediaextractor process privileges, potentially leading to data exfiltration, surveillance, or further privilege escalation.

🟢

If Mitigated

Limited impact with proper security updates applied and exploit mitigations enabled.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires triggering the vulnerable function with malicious media files, potentially through web browsing or app interactions.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: SMR MAY-2021 Release 1 or later

Vendor Advisory: https://security.samsungmobile.com/securityUpdate.smsb?year=2021&month=5

Restart Required: Yes

Instructions:

1. Check for system updates in device settings. 2. Install May 2021 security update or later. 3. Reboot device after installation.

🔧 Temporary Workarounds

Disable automatic media file processing

android

Prevent automatic parsing of media files by untrusted applications

Restrict media file sources

all

Only open media files from trusted sources

🧯 If You Can't Patch

  • Isolate affected devices from untrusted networks
  • Implement application allowlisting to prevent untrusted apps from processing media files

🔍 How to Verify

Check if Vulnerable:

Check device security patch level in Settings > About phone > Software information. If before May 2021, device is vulnerable.

Check Version:

adb shell getprop ro.build.version.security_patch

Verify Fix Applied:

Verify security patch level shows May 2021 or later in device settings.

📡 Detection & Monitoring

Log Indicators:

  • Mediaextractor process crashes
  • Suspicious media file processing attempts

Network Indicators:

  • Unusual outbound connections from mediaextractor process

SIEM Query:

process_name:mediaextractor AND (event_type:crash OR suspicious_file_activity)

📊 Metadata

CVE ID: CVE-2021-25387
CVSS v3 Score: 9.0 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
CWE: CWE-122
Published: June 11, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-25387, you might also want to check these:

CVE-2021-21940 10.0

A heap-based buffer overflow vulnerability in Anker Eufy Homebase 2's RTSP handling allows remote co...

Same vulnerability type (CWE-122)
CVE-2023-45318 10.0

This critical vulnerability allows remote attackers to execute arbitrary code on systems running Wes...

Same vulnerability type (CWE-122)
CVE-2025-23123 10.0

A heap buffer overflow vulnerability in UniFi Protect Camera firmware allows remote code execution. ...

Same vulnerability type (CWE-122)