Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
AsyncRAT Campaign Leverages ScreenConnect to Evade Detection
July 2, 2026
AsyncRAT Campaign Exploits Cloudflare Tunnels and Python for Malware Delivery
July 2, 2026
New Microsoft 365 Phishing Uses OAuth Device Code Flow to Steal Tokens
July 2, 2026
Home/CyberSecurity News/Critical Samsung TV Vulnerability Exploited by Codex to Gain Root Access
CyberSecurity News

Critical Samsung TV Vulnerability Exploited by Codex to Gain Root Access

Key Takeaways OpenAI’s Codex AI successfully achieved root privilege escalation on a Samsung Smart TV. The exploit leveraged world-writable kernel driver interfaces, specifically within the...

Marcus Rodriguez
Marcus Rodriguez
April 14, 2026 4 Min Read
28 0

Key Takeaways

  • OpenAI’s Codex AI successfully achieved root privilege escalation on a Samsung Smart TV.
  • The exploit leveraged world-writable kernel driver interfaces, specifically within the Novatek Microelectronics stack.
  • The vulnerability (CVE-2026-XXXX, details pending) allowed unprivileged code to gain raw read/write access to physical memory.
  • The AI autonomously identified and exploited the flaw, demonstrating advanced penetration testing capabilities.
  • Samsung and other vendors are advised to restrict permissions on similar driver stacks and implement robust memory validation.

In a groundbreaking demonstration of AI’s burgeoning capabilities in offensive security, OpenAI’s Codex model independently escalated privileges to root on a live Samsung Smart TV. This significant finding, published by CALIF on April 14, 2026, exposes critical security oversights in how hardware manufacturers secure their consumer electronics, particularly regarding kernel driver permissions.

Table Of Content

  • Key Takeaways
  • Discovery of World-Writable Drivers
  • How Codex Turned Driver Access Into Root
  • What You Should Do

The experiment began with an already established browser-level foothold on the target device. Researchers had secured code execution within the Samsung TV’s browser application, operating under a low-privileged user context with a user ID (uid) of 5001.

From this initial position, the CALIF team provided Codex with direct access to the operational device, alongside the corresponding KantS2 firmware source tree. KantS2 is Samsung’s internal designation for the Smart TV firmware installed on the specific model under scrutiny.

The central question driving the research was whether an AI, given a realistic post-exploitation scenario, could autonomously progress from a limited foothold to full root access without any specific guidance towards a known vulnerability.

CALIF analysts emphasized that Codex received no specific directives regarding particular drivers, physical memory exploration, or kernel credentials. The AI was tasked with independently enumerating the attack surface, analyzing Samsung’s vendor driver source code, and verifying its findings against the live device. This methodology closely mirrors the actions of a highly skilled human penetration tester engaged in a real-world assessment.

The Samsung TV in question runs Linux kernel 4.1.10, operating on Samsung’s Tizen platform. This platform incorporates Unauthorized Execution Prevention (UEP), a security measure designed to prevent unsigned binaries from executing directly from disk.

To circumvent UEP, the research environment included a memfd wrapper. This utility loads programs into anonymous in-memory file descriptors and executes them from memory, bypassing disk-based execution checks entirely. Codex leveraged this wrapper throughout its session to deploy and run custom-built static ARMv7 binaries on the target without triggering UEP.

Discovery of World-Writable Drivers

During its enumeration phase, Codex successfully identified three world-writable device nodes belonging to the ntk* driver family: ntkhdma, ntksys, and ntkxdma. These interfaces, which appeared as crw-rw-rw- in the device listing, are part of the Novatek Microelectronics stack integrated into Samsung’s firmware.

Given their accessibility from the browser shell, their presence on the device, and their inclusion in the released KantS2 source tree, these three interfaces formed the primary attack surface for the AI’s offensive operations.

How Codex Turned Driver Access Into Root

The core vulnerability resides within /dev/ntksys, a Samsung kernel driver. This driver permits user-space programs to register a physical memory address and a size, subsequently mapping that memory directly into their own process space via the mmap system call. Security researchers refer to this capability as a “physmap primitive,” as it grants unprivileged code raw read and write access to physical memory without requiring complex kernel code-execution exploits.

The root cause of this critical flaw is a combination of factors: a shipping udev rule that sets world-writable permissions (KERNEL=="ntksys", MODE="0666"), and a driver implementation that only validates the table slot index, completely ignoring whether the requested memory range overlaps with kernel-owned or other privileged memory regions. This vulnerability is evident in ker_sys.c around line 1158, where an attacker-supplied address is stored and later remapped verbatim by vk_remap_pfn_range.

Codex meticulously constructed its exploit step by step. First, it queried /dev/ntkhdma, which returned the physical address of the DMA buffer (0x84840000) to the unprivileged caller. This provided Codex with a known-good memory page for testing.

Next, the AI mapped that page through ntksys and confirmed its ability to read from and write to it from within the browser shell. With the physmap primitive successfully validated, Codex proceeded to scan RAM windows, leveraging information from /proc/cmdline. It located the browser process’s cred structure by matching its stored uid and gid values, and then zeroed out these fields.

The final shell confirmed the complete privilege escalation, displaying uid=0(root) gid=0(root).

The full write-up and proof-of-concept code are publicly available at the CALIF GitHub repository under MADBugs/samsung-tv.

What You Should Do

  • Hardware Vendors: Audit all third-party kernel components embedded in consumer firmware against the principle of least privilege before shipping.
  • Samsung and Similar Vendors: Immediately restrict permissions on ntk* device nodes and similar driver stacks to privileged processes only.
  • Developers: Remove all world-writable udev rules from any memory-management interfaces.
  • Driver Developers: Implement robust physical range validation within drivers like ntksys before allowing any mmap calls to prevent mapping kernel-owned or privileged memory.
  • Users: While direct mitigation for users is limited, ensure your Smart TV firmware is always updated to the latest available version from the manufacturer.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitSecurityVulnerability

Share Article

Marcus Rodriguez

Marcus Rodriguez

Marcus is a security researcher and investigative journalist with expertise in vulnerability research, bug bounties, and cloud security. Since 2017, Marcus has been breaking stories on critical vulnerabilities affecting major platforms. His investigative work has led to the disclosure of numerous security flaws and improved defenses across the industry. Marcus is an active participant in bug bounty programs and has been recognized for responsible disclosure practices. He holds multiple security certifications and regularly speaks at industry events.

Previous Post

Janela RAT Campaign Uses Fake MSI and Malicious Browser Extensions to Steal Data

Next Post

CISA Warns of Fortinet SQL Injection Vulnerability Actively Exploited in Attacks

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Citrix Bleed (CVE-2023-4966) Critical Vulnerability Actively Exploited
July 2, 2026
DHS Confirms Breach of HSIN Information Sharing Network
July 2, 2026
ChatGPT Flaw Exposes User Files, Poses System Access Risk
July 2, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us