We have identified a new buffer overflow vulnerability in Samsung’s baseband implementation (mainly used in Exynos chipsets). The vulnerability can be exploited to achieve arbitrary code execution in the baseband runtime. The vulnerability we are disclosing in this advisory affected a wide range of Samsung devices, including phones on the newest Exynos chipsets. The November 2023 issue of the Samsung Semiconductor Security Bulletin contains this vulnerability as CVE-2023-41111. Vulnerability Details Background: Data Block Format and Re-assembly in RLC In GPRS, an LLC layer PDU can be up to 1560 bytes long, but the maximum size for an RLC data block is 22/32/38/52 for the GPRS coding schemes CS-1/2/3/4, respectively.

We have identified several new heap buffer overflow vulnerabilities in Samsung’s baseband implementation (mainly used in Exynos chipsets): three different heap buffer overflows in the same function, to be precise. The most critical of these vulnerabilities can be exploited to achieve arbitrary code execution in the baseband runtime. The vulnerabilities we are disclosing in this advisory affected a wide range of Samsung devices, including phones on the newest Exynos chipsets. The vulnerability report covering all three that we reported together was assigned CVE-2023-41112, which was published in the 2023 November issue of Samsung Semiconductor Security Bulletin. Vulnerability Details Background: RLC Data Block Formats in GPRS vs E-GPRS In GPRS, an LLC layer PDU can be up to 1560 bytes long, but the maximum size for an RLC data block is between 22 and 52 bytes for GPRS, depending on the Coding Scheme used (22/32/38/52 for the GPRS coding schemes CS-1/2/3/4, respectively).