A zero-day vulnerability, tracked as CVE-2024-44068, has been found in Samsung’s cellular processors and is being utilized in an exploit chain for arbitrary code execution.
The vulnerability was given a crucial CVSS rating of 8.1 out of 10 and was patched in Samsung’s October set of safety fixes.
A Nationwide Institute of Requirements and Know-how (NIST) advisory on the bug describes it as “a problem [that] was found within the m2m scaler driver in Samsung Cellular Processor and Wearable Processor Exynos 9820, 9825, 980, 990, 850, and W920.” A use-after-free bug within the cellular processor finally results in privilege escalation, the company added.
Google researcher Xingyu Jin was credited with reporting the flaw earlier this yr, and Google TAG researcher Clement Lecigne warned that an exploit exists within the wild.
“This zero-day exploit is a part of an EoP chain,” Jin and Lecigne famous. “The actor is ready to execute arbitrary code in a privileged digital camera server course of. The exploit additionally renamed the method identify itself to ‘[email protected]’, most likely for anti-forensic functions.”
