CVE-2025-21043

What is Samsung's libimagecodec.quram.so?

libimagecodec.quram.so is Samsung's proprietary image codec library (developed by Quram) that handles image decoding on Samsung Galaxy devices. It processes multiple image formats — JPEG, PNG, GIF, BMP, and others — and is invoked automatically when images are received via messaging apps, email, MMS, or downloaded from the web. Because image decoding happens automatically on receipt (no explicit user action beyond opening a chat or email), vulnerabilities in this library can be exploited via zero-click or one-click attack vectors.

Overview

CVE-2025-21043 is an out-of-bounds write vulnerability (CWE-787) in Samsung's libimagecodec.quram.so image codec library affecting Android 13 through 16 on Samsung devices. A remote attacker can send a maliciously crafted image file that triggers the OOB write during decoding, potentially enabling arbitrary code execution. The vulnerability was reported by the Meta and WhatsApp Security Teams, suggesting it was identified through analysis of a real-world attack chain or spyware toolchain. Samsung confirmed active exploitation before the September 2025 SMR patch.

Affected Versions

Technical Details

The out-of-bounds write (CWE-787) occurs in the image decoding logic of libimagecodec.quram.so. When parsing a specially crafted image file, the codec computes an incorrect buffer size or index, writing image data beyond the allocated buffer boundary. This heap corruption can be controlled by the attacker to overwrite adjacent memory structures, enabling code execution in the context of the messaging app or system process that initiated the decode.

Key exploitation characteristics:

• Network-delivered via image file in any messaging app, email, or MMS
• Samsung's CVSS score of 8.8 reflects User Interaction Required (UI:R) — the user must open the message/image
• NVD rates it 9.8 CRITICAL (no user interaction assumed for some delivery vectors)
• Companion to CVE-2025-21042 (same library, patched in the April 2025 SMR for a related vulnerability)

Discovery

Meta and WhatsApp Security Teams, reported August 13, 2025 (Samsung internal tracking: SVE-2025-1702). Meta's reporting of an image codec vulnerability in a messaging context suggests the bug was identified through analysis of a message-based spyware delivery attempt — consistent with commercial surveillance tools targeting WhatsApp users.

Exploitation Context

Samsung confirmed active exploitation before the September 2025 SMR. CISA added CVE-2025-21043 to the KEV catalog on October 2, 2025. The exploitation context — Meta/WhatsApp reporting, image codec, Samsung-specific library — is consistent with mobile spyware (Pegasus, Predator, or similar) delivery via malicious media files sent through messaging platforms.

Remediation

1. Install Samsung September 2025 SMR or later. On Samsung Galaxy devices, navigate to Settings → Software update → Download and install.
2. Apply the companion CVE-2025-21042 patch if not already applied — both vulnerabilities affect the same library and share the same attack surface.
3. Enable automatic security updates on Samsung devices — SMR releases arrive monthly; automated updates minimize the window of exposure.
4. Enable message filter settings in Samsung Messages and similar apps to reduce auto-download of media from unknown senders.
5. High-risk individuals (journalists, activists, government officials) should consider enabling Samsung's additional security hardening features or using a dedicated secure device.