CVE-2025-21042

What is Samsung's libimagecodec.quram.so?

libimagecodec.quram.so is Samsung's proprietary image codec library (Quram) that automatically decodes image files received via messaging apps, email, and MMS on Samsung Galaxy devices. See CVE-2025-21043 for the full library context. CVE-2025-21042 is a distinct OOB write in the same library, patched in the April 2025 SMR for Android 13 and 14.

Overview

CVE-2025-21042 is a use-after-free/out-of-bounds write vulnerability (CWE-787) in Samsung's libimagecodec.quram.so that was patched in the April 2025 Samsung Security Maintenance Release (SMR) for Android 13 and 14 devices. Unlike companion CVE-2025-21043 (which was reported by Meta/WhatsApp and patched in September 2025), CVE-2025-21042 was linked by Palo Alto Networks Unit 42 to "Landfall" — a commercial-grade Android surveillance software platform — in exploitation observed before the April 2025 patch.

Affected Versions

Note: Android 15 and 16 were addressed by a related fix; Samsung Android 15/16 users should apply the September 2025 SMR (CVE-2025-21043) for complete protection of the same library.

Technical Details

The out-of-bounds write (CWE-787) occurs in libimagecodec.quram.so's image parsing path — distinct from but related to the bug in CVE-2025-21043. A crafted image file triggers a bounds check failure during decoding, allowing writes beyond the allocated buffer. The two vulnerabilities likely originate from different functions or format handlers within the same library, both sharing the characteristic of being exploitable via maliciously crafted image delivery.

Key differentiation from CVE-2025-21043:

• Affects only Android 13–14 (not 15–16 in this bulletin)
• Patched in April 2025 SMR (five months before CVE-2025-21043's September 2025 SMR)
• Linked by Unit 42 to Landfall commercial spyware platform
• CVE published September 2025 despite the April 2025 patch — reflecting delayed CVE assignment

Discovery

Samsung internally identified (SVE-2024-1969, September 25, 2024). Unit 42 (Palo Alto Networks) subsequently linked exploitation to the Landfall commercial spyware platform.

Exploitation Context

Palo Alto Networks Unit 42 attributed active exploitation of CVE-2025-21042 to Landfall — a commercial-grade Android surveillance software platform used in targeted monitoring operations. CISA added it to the KEV catalog on November 10, 2025 with a December 1 deadline. The Landfall attribution indicates government or law enforcement customers were paying for exploits against Samsung devices using this vulnerability.

Remediation

1. Install Samsung April 2025 SMR or later on Android 13–14 Samsung devices. Check Settings → Software update.
2. Install September 2025 SMR for complete protection — CVE-2025-21043 (companion vulnerability) is patched in the September bulletin.
3. Enable Samsung's automatic security updates so future SMRs apply without manual intervention.
4. High-risk individuals facing potential Landfall-style surveillance targeting should consult a security specialist and consider device reset/replacement as a precaution if the April 2025 patch was not applied promptly.