CVE-2023-21500

Double free validation vulnerability in setPinPadImages in mPOS TUI trustlet prior to SMR May-2023 Release 1 allows local attackers to access the trustlet memory.

Weakness

The product calls free() twice on the same memory address.

Affected Software

Name	Vendor	Start Version	End Version
Android	Samsung	13.0 (including)	13.0 (including)
Android	Samsung	13.0-smr-apr-2023-r1 (including)	13.0-smr-apr-2023-r1 (including)
Android	Samsung	13.0-smr-dec-2022-r1 (including)	13.0-smr-dec-2022-r1 (including)
Android	Samsung	13.0-smr-feb-2023-r1 (including)	13.0-smr-feb-2023-r1 (including)
Android	Samsung	13.0-smr-jan-2023-r1 (including)	13.0-smr-jan-2023-r1 (including)
Android	Samsung	13.0-smr-mar-2023-r1 (including)	13.0-smr-mar-2023-r1 (including)
Android	Samsung	13.0-smr-nov-2022-r1 (including)	13.0-smr-nov-2022-r1 (including)
Android	Samsung	13.0-smr-oct-2022-r1 (including)	13.0-smr-oct-2022-r1 (including)

Potential Mitigations

References

https://security.samsungmobile.com/securityUpdate.smsb?year=2023\u0026month=05
https://security.samsungmobile.com/securityUpdate.smsb?year=2023\u0026month=05

NVD	https://nvd.nist.gov/vuln/detail/CVE-2023-21500
CWE	https://cwe.mitre.org/data/definitions/415.html

Double Free

Weakness

Affected Software

Potential Mitigations

References