In our previous blog post, we have introduced our latest research into full chain baseband exploits. We have showcased new research tools (our nanoMIPS decompiler, debugger, and emulator for Mediatek basebands) and explored the interconnected components across the Cellular Processor and the Application Processor of Samsung and Mediatek radio interface stacks.

The most serious of vulnerabilities in these interfaces can lead to over-the-air exploitation of the device: zero-click remote code execution not only in the baseband, but in the Android runtime as well.

It’s no secret that baseband full-chains of this kind have existed privately and been used In-The-Wild, as recently documented by the “Predator Files” disclosures, for example.

All told, we have found 17+ vulnerabilities (16 original CVEs received from Samsung and Mediatek following our reports). Taken together, the most critical indeed lead to over-the-air exploitation of Android!

In this series, we provide details of the baseband and baseband-to-AP pivot vulnerabilities, exploitable for remote code execution, chained together at the same time.

Last month, I was finally able to present some of the details of our work at the conference in Basebanheimer: Now I Am Become Death, the Destroyer of Chains.

In this post (Part 1), we publish the presentation material from (slides, video), our new TASZK advisories with vulnerability details for 11 out of the 17 vulnerabilities, and a video demonstration of a Samsung Baseband exploit in action.

Additional posts in this series:


According to Google, the first effort for applying exploit mitigations to baseband firmwares dates back to 2022:


While that claim may be arguable, it’s certainly the case that competing chipset manufacturers don’t always publicize their own baseband exploit mitigation engineering efforts. So, in and of itself, I think that such publication is great and I wish more vendors did the same. Either way, whether it was Qualcomm in ~2012, Infineon in ~2018, Huawei in ~2019, Samsung in ~2019, Mediatek in ~2022, or indeed Google in 2022-2023, it’s clear that vendors have definitely started working on baseband exploit mitigations.

With that in mind, we have to analyze the exploitability of individual CVEs if we want to understand their true impact.

Ideally, we could rely on the vendor for this, but sometimes the impact/severity assigned in bulletins is not quite accurate. For example, the Samsung Security Update describes the impact of CVE-2023-41111 and CVE-2023-41112 as “can cause abnormal termination of a phone”.

The rest of this series covers exploitability analysis:

  • Part 2 describes the heap implementation changes Mediatek made from Helio to Dimensity and analyzes the exploitability of the Mediatek Baseband RCE vulnerability CVE-2022-21744 using metadata attacks in light of these changes.
  • Part 3 explains how to exploit the Mediatek Baseband Pivot vulnerability CVE-2022-21765 for remote code execution in the Linux Kernel on Dimensity.
  • The upcoming Part 4 will include the advisories for CVE-2023-41111 and CVE-2023-41112 and introduce new baseband heap exploit techniques we have developed for targeting Baseband RCE vulnerabilities like CVE-2023-41111, CVE-2023-41112, CVE-2023-21517, and CVE-2022-21744. Most importantly, it will describe the fully realized Samsung Baseband RCE of our chain.
  • Finally, in Part 5 we will be publishing our advisories for the Samsung Baseband Pivot vulnerabilities CVE-2023-42529, CVE-2023-42528, CVE-2023-42527, and CVE-2023-30739 and discuss their successful exploitation.

If you prefer to skip ahead, check out our Samsung baseband exploit demo video at the end of this post!


For vulnerability details, disclosure timelines, and the lists of affected devices, see the individual advisories below:

Title Vendor CVE Access Vector TASZK Advisory Vendor Bulletin
LTE NAS Heap Buffer Overflow Samsung CVE-2023-21517 Remote June23
RIL IPC SIM Heap Buffer Overflow Samsung CVE-2023-30649 Pivot July23
RIL IPC PhoneBook Heap Buffer Overflow Samsung CVE-2023-30647 Pivot July23
RIL IPC SMS Heap Buffer Overflow Samsung CVE-2023-30646 Pivot July23
RIL IPC SMS Heap Buffer Overflow Samsung CVE-2023-30645 Pivot July23
RIL IPC IMEI Stack Buffer Overflow Samsung CVE-2023-30647 Pivot July23
RIL IPC SMS Stack Buffer Overflow Samsung CVE-2023-30648 Pivot July23
RLC Control Heap Buffer Overflow Mediatek CVE-2022-21744 Remote July22
CCCI Driver Stack Buffer Overflow Mediatek CVE-2022-21766 Pivot July22
CCCI Driver OOB Write Mediatek CVE-2022-21765 Pivot July22
CCCI Driver OOB Read Mediatek CVE-2022-21769 Pivot July22

Upcoming Advisories

As described in the talk, I had to skip additional vulnerabilities at because the chain of baseband+pivot vulnerabilities in question that we have reported to Samsung in April was still unfixed.

With impacable timing, the missing patches have been released by Samsung 4 days after the conference.

These baseband and Android CVEs can now be found in the November 2023 Samsung Semiconductor Security Update and Samsung Mobile Security Update, respectively.

Title Vendor CVE Access Vector TASZK Advisory Vendor Bulletin
RLC Buffer Overflow Samsung CVE-2023-41111 Remote n/a Nov23
RLC Buffer Overflow Samsung CVE-2023-41112 Remote n/a Nov23
RIL Heap Buffer Overflow Samsung CVE-2023-30644 Pivot n/a Nov23
RIL OOB Write Samsung CVE-2023-42529 Pivot n/a Nov23
RIL Improper Input Validation Samsung CVE-2023-42527 Pivot n/a Nov23
RIL Arbitrary File Descriptor Write Samsung CVE-2023-30739 Pivot n/a Nov23

Although the Security Updates have now been released, we also take into consideration the fact that Samsung applies monthly updates only to a subset of their supported devices, others get quarterly or bi-quarterly updates instead. (See more about their patching policies here.)

This is the major reason why we have decided to withhold the full details of our work on CVE-2023-41111, CVE-2023-41112, CVE-2023-42529, CVE-2023-42528, CVE-2023-42527, and CVE-2023-30739 for now.

Don’t forget to follow our research blog and our account on the bird site for upcoming updates about vulnerabilities, exploits, and trainings! :)

Exploit Demo

In the meantime, we are releasing a Proof-of-Concept video of exploiting CVE-2023-41111 and CVE-2023-41112 in the baseband of a Samsung Galaxy S21.

The video doesn’t provide the exact details of the exploit, but it demonstrates successful exploitation using the “Pwn2own classic” payload: we rewrite the device’s IMEI in order to show with the response that the phone sends to a post-exploitation mobile terminated Identity Request that the runtime has been compromised.