CVE-2025-21044 is a medium-severity vulnerability categorized as an out-of-bounds write (CWE-787) in the fingerprint trustlet component of Samsung Mobile devices. The fingerprint trustlet is a trusted execution environment (TEE) component responsible for securely handling fingerprint authentication data. The vulnerability exists in versions prior to the SMR Oct-2025 Release 1 and allows a local attacker with high privileges to perform out-of-bounds memory writes. This can lead to memory corruption, potentially enabling privilege escalation or unauthorized access to sensitive data within the TEE. The attack vector requires local access with elevated privileges, no user interaction is needed, and the attack complexity is high due to the need for privileged access. The CVSS 3.1 base score is 5.7, reflecting high impact on confidentiality and integrity but no impact on availability. No public exploits are known at this time, and no patch links have been published yet. The vulnerability highlights the risk of memory safety issues in trusted components of mobile devices, which can undermine the security guarantees of biometric authentication systems.

If exploited, this vulnerability could allow attackers with local privileged access to corrupt memory within the fingerprint trustlet, potentially leading to unauthorized access to fingerprint data or escalation of privileges within the device. This compromises the confidentiality and integrity of biometric authentication, undermining device security and user privacy. While availability is not affected, the breach of biometric data can have long-term security implications, including bypassing device locks or impersonation. Organizations relying on Samsung mobile devices for sensitive communications or data storage could face increased risk of targeted attacks. The requirement for local privileged access limits remote exploitation but insider threats or malware with elevated privileges could leverage this flaw. The absence of known exploits reduces immediate risk but does not eliminate the threat once the vulnerability becomes widely known.

Organizations and users should apply the SMR Oct-2025 Release 1 update from Samsung as soon as it becomes available, as it is expected to contain the fix for this vulnerability. Until then, restrict local privileged access on Samsung mobile devices by enforcing strict device management policies, disabling unnecessary services, and monitoring for suspicious privilege escalations. Employ mobile device management (MDM) solutions to control app installations and privilege grants. Regularly audit device security settings and educate users on the risks of granting elevated privileges to untrusted applications. Additionally, consider isolating sensitive operations from devices that cannot be immediately patched. Monitoring for unusual behavior in fingerprint authentication processes may help detect exploitation attempts. Samsung should be engaged for timely patch information and guidance.