“Samsung Galaxy S25 Faces Security Concerns Over Browser Exploits”
Outdated Engine Leaves Galaxy S25 Browser Exposed
Security researchers have uncovered a serious vulnerability in the default browser on the Samsung Galaxy S25, demonstrating a full remote code execution (RCE) exploit chain linked to an outdated version of the V8 JavaScript engine.
The flaw, present in Samsung Internet, can be escalated further into universal cross-site scripting (UXSS), potentially allowing attackers to inject malicious code across multiple websites and compromise user data at scale.
Figure 1. Samsung Galaxy S25.
A Critical Weak Point in JavaScript Processing
At the core of the issue is CVE-2025-10891, a vulnerability in V8’s Ignition interpreter—the component responsible for executing JavaScript code. The flaw arises from how exception handlers are stored, where limited offset sizes can lead to truncated values in large functions. Figure 1 shows Samsung Galaxy S25.
By exploiting this behavior, researchers were able to redirect execution into unintended areas of memory. Carefully crafted oversized JavaScript functions allowed them to gain partial control over execution flow, laying the groundwork for deeper exploitation.
From Code Manipulation to Full System Access
The attack was refined using a technique known as “constant smuggling,” enabling more precise control over bytecode execution. This allowed researchers to invoke internal V8 functions not normally accessible to web content.
A key breakthrough came with the use of a function capable of loading serialized Web Assembly modules. By manipulating this process, the team achieved arbitrary native code execution within the browser’s renderer environment—effectively gaining the ability to run attacker-controlled code.
To ensure compatibility with ARM-based Android devices, the exploit dynamically generated payloads directly on the device, making the attack reliable on real-world hardware.
Escalation to Cross-Site Attacks
Beyond initial compromise, the researchers demonstrated universal cross-site scripting (UXSS). Due to relatively weaker site isolation in mobile Chromium environments, multiple websites can share the same renderer process.
By modifying internal execution pathways, the exploit installs a persistent hook that injects malicious scripts whenever new pages load [1]. This enables attackers to access data across different websites, bypassing traditional browser security boundaries.
Not New—But Still Dangerous
Importantly, this is not a newly discovered zero-day. The vulnerability had already been identified and patched in upstream V8 months earlier. However, the issue persists because Samsung Internet shipped with an outdated engine version lacking those fixes.
A Reminder on Update Lag Risks
This case highlights a broader concern in mobile security: delays in integrating upstream patches can leave widely used applications exposed long after vulnerabilities are known.
For users of Samsung Internet, the findings underscore the importance of timely updates—not just for apps, but for the underlying components that power them. As browsers remain a primary gateway to online activity, even a single unpatched flaw can open the door to significant risks.
References
- https://cyberinsider.com/samsung-galaxy-s25-ships-browser-vulnerable-to-rce-and-xss-attacks/
Cite this article:
Keerthana S (2026), “Samsung Galaxy S25 Faces Security Concerns Over Browser Exploits”, AnaTechMaz, pp.364







