Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Remote crafted image but reaching the TIFF parser is a real precondition, so AC:H; no auth or interaction (PR:N/UI:N); memory-write gives I:H, minor A:L, no C impact.
Primary rating from Vendor (samsung).
CVSS VectorVendor: samsung
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
Out-of-bounds write in parsing TIFF format in libimagecodec.media.quram.so prior to SMR Jul-2026 Release 1 allows remote attackers to write out-of-bounds memory.
AnalysisAI
Out-of-bounds memory write in the Quram image codec (libimagecodec.media.quram.so) used by Samsung mobile devices allows remote attackers to corrupt memory while the library parses a malformed TIFF image, affecting builds prior to SMR Jul-2026 Release 1. Reported by Samsung's own mobile security team, the flaw carries a CVSS 4.0 base score of 8.3 (High) with a network vector and no privileges or user interaction required, though an attack requirement (AT:P) indicates a specific precondition. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the target device to decode an attacker-crafted TIFF image through the Quram codec (libimagecodec.media.quram.so) on a build below SMR Jul-2026 Release 1 - the specific trigger is TIFF-format parsing, not arbitrary image handling. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are moderately consistent: the CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N) points to remote, unauthenticated, no-interaction reachability, but the AT:P flag signals a genuine attack requirement - the target must actually receive and decode the malicious TIFF through a path that reaches the Quram parser, which is not guaranteed on every device or messaging configuration. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a malicious TIFF image with manipulated header/offset fields and delivers it to a target device through a messaging attachment, malicious webpage, or app that triggers image decoding by the Quram library. When the platform parses the TIFF, the out-of-bounds write corrupts adjacent memory in the decoding process; given AC:L, the trigger is reliable once the parser is reached, though the AT:P precondition means the specific delivery/decode path must be exercised. … |
| Remediation | Vendor-released patch: SMR Jul-2026 Release 1 - apply the July 2026 Samsung Maintenance Release (or later) via the device's software update mechanism as the primary fix, consulting the advisory at https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=07 for the exact patch level and covered models. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Inventory all Samsung mobile devices using MDM/asset management tools, identify devices running builds prior to SMR Jul-2026 Release 1, and establish monitoring for device crashes or unexplained reboots. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42816
GHSA-rw4v-99fx-2m8m