Samsung’s Android OS versions O(8.x) Out-of-bounds Write Vulnerability


The Samsung May 2020 Android Security Update notes that “a possible memory overwrite vulnerability in Quram qmg library allows possible remote arbitrary code execution.” Samsung identifies this vulnerability. Google Project Zero performed extensive fuzz testing on the Qmage (or Quram, or qmg) code that Samsung added to the Android Skia library and identified 5218 uniquely crashing test cases. At least one of these memory corruption vulnerabilities can be exploited by sending a specially crafted MMS message to a vulnerable system. Samsung notes that versions O(8.X), P(9.0), Q(10.0) are affected.


The information has been provided by Mateusz Jurczyk

The original article can be found at:


There is a buffer overwrite vulnerability in the Quram qmg library of Samsung’s Android OS versions O(8.x), P(9.0) and Q(10.0). An unauthenticated, unauthorized attacker sending a specially crafted MMS to a vulnerable phone can trigger a heap-based buffer overflow in the Quram image codec leading to an arbitrary remote code execution (RCE) without any user interaction. 


Vulnerable Systems:

Samsung’s Android OS versions O(8.x)

Samsung’s Android OS versions P(9.0)

Samsung’s Android OS versions Q(10.0)


CVE Information:



Disclosure Timeline:
Published Date:5/6/2020

Categories: FeaturedNews