Samsung’s Android OS versions O(8.x) Out-of-bounds Write Vulnerability
The Samsung May 2020 Android Security Update notes that “a possible memory overwrite vulnerability in Quram qmg library allows possible remote arbitrary code execution.” Samsung identifies this vulnerability. Google Project Zero performed extensive fuzz testing on the Qmage (or Quram, or qmg) code that Samsung added to the Android Skia library and identified 5218 uniquely crashing test cases. At least one of these memory corruption vulnerabilities can be exploited by sending a specially crafted MMS message to a vulnerable system. Samsung notes that versions O(8.X), P(9.0), Q(10.0) are affected.
The information has been provided by Mateusz Jurczyk
The original article can be found at:https://security.samsungmobile.com/securityUpdate.smsb
There is a buffer overwrite vulnerability in the Quram qmg library of Samsung’s Android OS versions O(8.x), P(9.0) and Q(10.0). An unauthenticated, unauthorized attacker sending a specially crafted MMS to a vulnerable phone can trigger a heap-based buffer overflow in the Quram image codec leading to an arbitrary remote code execution (RCE) without any user interaction.
Samsung’s Android OS versions O(8.x)
Samsung’s Android OS versions P(9.0)
Samsung’s Android OS versions Q(10.0)