Samsung users have been urged to take urgent action in response to 18 security vulnerabilities discovered in Samsung’s Exynos cellular modem firmware by Google’s Project Zero. Critical security flaws have been identified that expose Samsung’s Exynos chipset to attacks that require no user interaction, making them particularly concerning. Project Zero team lead, Tim Willis, has revealed that his researchers reported at least 18 zero-day vulnerabilities in the Exynos modems produced by Samsung Semiconductor and used in the company’s flagship Galaxy devices.

Of the 18 zero-day flaws, four have the potential to allow remote code execution from the internet to the baseband, which is also known as the modem. As the modem typically has privileged, low-level access to all of the hardware, exploiting flaws within its code could give an attacker complete control over the device or phone.

The vulnerabilities have been identified as heap buffer overflows in the 5G MM message codec while decoding extended emergency lists, service area lists, and reserved options. Technical information regarding these vulnerabilities has been withheld to protect users of affected devices. However, Samsung has released advisories outlining the Exynos chipsets impacted by these vulnerabilities, which include mobile devices from Samsung, Vivo, and Google’s Pixel 6/7 handsets, along with any wearables that use the Exynos W920 chipset, and any vehicles that use the Exynos Auto T5123 chipset.