Full Report
Samsung has patched a remote code execution vulnerability that was exploited in zero-day attacks targeting its Android devices. [...]
Analysis Summary
# Vulnerability: Samsung Android Remote Code Execution via Image Parsing Library
## CVE Details
- CVE ID: CVE-2025-21043
- CVSS Score: N/A (Described as "critical")
- CWE: Out-of-bounds Write (CWE-787)
## Affected Systems
- Products: Samsung Android Devices
- Versions: Devices running Android 13 or later (prior to the Sep-2025 Release 1 patch).
- Configurations: Any software utilizing the vulnerable `libimagecodec.quram.so` library. Potentially affects other instant messengers using this library, not just WhatsApp.
## Vulnerability Description
The vulnerability is an Out-of-bounds Write weakness located in `libimagecodec.quram.so`, a closed-source image parsing library developed by Quramsoft used on Samsung devices. This flaw allows a remote, unauthenticated attacker to execute arbitrary code on vulnerable devices.
## Exploitation
- Status: Actively exploited in the wild (Zero-day).
- Complexity: Not specified, but exploitation requires delivering a specially crafted image file.
- Attack Vector: Network (via image delivery, e.g., through messaging apps like WhatsApp).
## Impact
- Confidentiality: High (Arbitrary code execution capability)
- Integrity: High (Arbitrary code execution capability)
- Availability: High (Device compromise possible)
## Remediation
### Patches
- Samsung Security Maintenance Release (SMR) for September 2025, specifically designated as **SMR Sep-2025 Release 1** or later.
### Workarounds
- The article notes that WhatsApp urged users previously to update software and **reset devices to factory settings** following related exploitation, suggesting a factory reset might remove the exploit payload, though this is an extreme measure.
## Detection
- The article provides no specific Indicators of Compromise (IOCs) for this vulnerability, only the fact that it was actively exploited.
- Detection would rely on monitoring for unusual process behavior stemming from the image processing pipeline, or identifying devices that have not received the September 2025 SMR update.
## References
- Vendor Advisory: samsungsecurity.smsb (A specific link was provided but is omitted here as per instructions.)
- Related discussion: x com/DonnchaC/status/1961444710620303653 (Defanged)