Multiple Internet to Baseband Remote Code Execution Vulnerabilities in Exynos Modems

Project Zero disclosed eighteen vulnerabilities in Samsung Exynos modems, highlighting four critical Internet-to-baseband RCEs (CVE-2023-24033, CVE-2023-26496, CVE-2023-26497, CVE-2023-26498) that allow remote, no-interaction compromise of phones if an attacker knows the victim's number; fourteen other related flaws are less severe and often require a malicious carrier or local access. Affected devices likely include many Samsung and Vivo models, Google Pixel 6/7, and Exynos Auto T5123-equipped vehicles; patches and mitigations vary by vendor, and Project Zero temporarily delayed public disclosure of the four most severe issues due to the high exploitability risk.