Samsung fixed a critical remote-code-execution bug in the Quramsoft image codec (`libimagecodec.quram.so`) used on Galaxy devices. The flaw—an Out-of-Bounds Write—is patched in SMR Sep-2025 Release 1 and was exploited in the wild before disclosure. Samsung credits Meta & WhatsApp Security Teams (report date 2025-08-13). Patch immediately to the September 2025 security level (or later).
Media coverage underscores that any messenger or app that relies on the system image parser (not just WhatsApp) could be a delivery vector for a malicious image.
Vulnerability details
- CVE: CVE-2025-21043
- Component: Quramsoft image codec (`libimagecodec.quram.so`)
- Type / CWE: Out-of-Bounds Write (CWE-787) → memory corruption → potential RCE
- Severity: Critical (Samsung)
- Affected OS on Samsung builds: Android 13–16
- Fix: Included in SMR Sep-2025 Release 1
- Exploit status: “Exploit … has existed in the wild.” (Samsung)
- Reporter credit: Meta & WhatsApp Security Teams (reported 2025-08-13)
All of the above are specified in Samsung’s security bulletin entry for SVE-2025-1702 / CVE-2025-21043.
> Why it matters: Image codecs often process untrusted content automatically (previews, thumbnailers, notifications). One malformed image can crash the decoder or, with a working exploit, run attacker code in the decoder’s process. Coverage notes other messengers using the system codec may be exposed—not just WhatsApp.
Timeline (UTC)
- 2025-08-13: Samsung receives report from Meta & WhatsApp.
- 2025-09-03 → 2025-09-12: September 2025 SMR announced and begins rolling out to models/regions (ongoing staggered release). Community trackers and press confirm early-September waves across multiple devices.
- 2025-09-12: Public reporting highlights active exploitation and WhatsApp/Meta credit.
Threat model & likely attack paths
Primary vector: Delivery of a malicious image that triggers decoding paths eventually invoking `libimagecodec.quram.so`. Apps that delegate image parsing to the OS/vendor codecs inherit the risk.
Common touchpoints (high-exposure first):
- Messaging: MMS/RCS; OTT messengers (auto-download, previews, notification thumbs).
- System components: Gallery, MediaScanner, indexers/thumbnailers, ShareSheet.
- Browsers & Email: Inline image rendering, preview panes.
4) Root-cause clarity (what’s known vs. inferred)
- Confirmed (Samsung): Out-of-Bounds Write in the Quramsoft codec; fixed by correcting an “incorrect implementation.” No format or trigger details disclosed.
- Context (inference, not specific to this CVE): Historically, Quram/Qmage bugs involved size/stride miscalculation and insufficient metadata validation, enabling heap corruption and even zero-click MMS attacks on Samsung devices. Treat this as background, not proof for CVE-2025-21043.
Exploitability factors to keep in mind (general): Modern Android hardening (ASLR, CFI, PAC/MTE on some SoCs, process sandboxing) raises difficulty but doesn’t preclude reliable RCE chains. Exact exploit quality/sandbox impact here are undisclosed.
5) Impact assessment
- Worst-case: Network-reachable RCE when the image is parsed, leading to code execution within the decoder’s process context. Additional bugs or misconfigurations would be required for broader device compromise. (RCE status per Samsung.)
- Breadth: Any Galaxy device on pre-SMR Sep-2025 builds and using vendor image paths is at risk until patched; rollout is staggered by model/region/carrier. Trackers highlight that September SMR is actively shipping.
6) Exposure verification & validation
6.1 “Am I safe?” quick check (on-device)
- Go to Settings → About phone → Android version → Android security update.
- If it shows September 1, 2025 or September 5, 2025 (or a later month), you have the corresponding Android patch level; Samsung’s SMR includes these plus Samsung fixes. Google states that 2025-09-05 includes all issues in 2025-09-01 and earlier. ([Android Open Source Project][5])
- Samsung’s bulletin explicitly says SMR Sep-2025 Release 1 includes the fix for CVE-2025-21043. ([Samsung Mobile Security][1])
> Rule of thumb: On Samsung, a device showing “September 2025” with SMR Sep-2025 R1 is covered for CVE-2025-21043.
6.2 ADB/MDM checks (fleet)
`adb shell getprop ro.build.version.security_patch` → expect `2025-09-01` or `2025-09-05` (or later). ([Android Open Source Project][5])
- Model-specific rollout: Confirm availability for particular SKUs/regions using Samsung community/tracker posts (e.g., S23 series S918BXXS8DYI3 reported live). Use as availability signal, not authoritative coverage. ([Droid Life][6])
7) Detection & triage guidance (blue team)
> Focus on decoder crashes and media-ingestion correlations. Don’t expect IOCs yet; content is often E2EE.
- Crash/tombstone review on test or enrolled devices
- Pull `/data/tombstones/` (`tombstone_*.txt`).
- Look for processes loading `libimagecodec.quram.so` with crashes around image receipt/preview (e.g., SIGSEGV/SIGABRT, heap corruption markers).
- Correlate timestamps with incoming media (messaging push, notification arrivals, gallery indexing).
- Logcat spot-checks (developer/test devices)
- `adb logcat | grep -iE "libimagecodec\.quram\.so|Fatal signal|backtrace"`
- MDM/EDR telemetry (where present)
- Alerts on repeated media decode faults, abnormal child processes spawned by media frameworks, or RWX/JIT anomalies inside media processes.
- Threat intel tracking
- Monitor the Samsung SMR page for updates; watch reporting threads for sample hashes or exploit indicators once (if) they become public. ([Samsung Mobile Security][1])
8) Immediate mitigations & hardening
Top priority: patch to SMR Sep-2025 R1+ now. Users: Settings → Software update → Download and install. Enterprises: push via MDM compliance policy. ([Samsung Mobile Security][1])
Until patched:
- Messaging controls: Disable auto-download/auto-preview of images where policy allows; restrict unknown senders. (Media outlets warn other messengers using system codecs could be targeted.) ([BleepingComputer][2])
- MDM baselines: Require security patch ≥ 2025-09-01 (prefer 2025-09-05), block devices below that level; enforce Play Protect, restrict sideloading. ([Android Open Source Project][5])
- Network caveat: For E2EE messengers, server-side content rewrites/stripping won’t apply; rely on endpoint controls and rapid patching.
9) Developer guidance (apps & enterprise toolmakers)
- If your app defers to system image decoders (Java/Kotlin `BitmapFactory`, `ImageDecoder`, or native via NDK that calls into vendor libs), your app inherits platform risk. Ship app updates promptly (even if only to gate risky auto-previews behind user action) until fleet patching reaches critical mass. Coverage flags that system-codec users are exposed. ([BleepingComputer][2])
- Avoid introducing alternate native image parsers unless they are proven, memory-safe, and well-maintained—rolling your own parser typically increases risk.
- Expand fuzzing against image inputs in CI and consider content triage (e.g., size/dimension caps) before decoding. Historical Quram/Qmage work shows how metadata misparsing leads to corruption. ([Project Zero][4])
10) Validation plan (post-patch)
- Confirm patch level (Section 6).
- Negative testing: Re-ingest previously crashing images (if any were captured internally) on a fully patched test device. Do not share or re-distribute suspect samples.
- Stability watch: No new tombstones for media pipelines over 72h of normal use across patched pilot group.
- Close incident when fleet compliance ≥ agreed threshold (e.g., 95% patched), with exception-handling for stragglers.
11) Risk scoring & policy
- Severity: Critical (vendor). Treat as Priority-1 because of confirmed in-the-wild exploitation. Samsung didn’t publish a CVSS; don’t rely on third-party estimates for gating decisions. ([Samsung Mobile Security][1])
12) Open questions (track & update)
- Which image formats and specific parser paths are affected?
- Triggering requirements (zero-click via auto-thumbnailing vs. open)?
- Exploit chain details (sandbox escape/priv-esc)?
- Public technical write-ups / PoC? (None official at time of writing.)
Samsung’s bulletin and reputable reporting are the authoritative sources for now. ([Samsung Mobile Security][1])
13) Ops playbooks & copy-paste blocks
13.1 End-user comms (short)
> We’re deploying the September 2025 security update to Galaxy devices due to a critical image-parsing vulnerability (CVE-2025-21043) that is actively exploited. Please go to Settings → Software update → Download and install and apply the update today. Until you’re patched, avoid opening images from unknown contacts and disable auto-download of media in messaging apps. ([Samsung Mobile Security][1])
13.2 SOC hunt checklist
- [ ] Pull recent tombstones; flag crashes mentioning `libimagecodec.quram.so`.
- [ ] Correlate with inbound image receipt times in messengers.
- [ ] Triage any repeatable crash sequences on pre-patch devices; escalate if persistence or unusual child processes observed.
- [ ] Track fleet patch compliance daily until ≥ 95%.
13.3 MDM compliance policy
- Minimum Android security patch: `2025-09-05` (preferred) or `2025-09-01` (temporary). Devices below are non-compliant. (Patch-level semantics per Google’s ASB.) ([Android Open Source Project][5])
- Controls: Disable image auto-download in corporate messengers (where configurable), enforce Play Protect, block sideloading, and require full-disk encryption.
13.4 Engineer notes (test devices)
- Read patch level: `adb shell getprop ro.build.version.security_patch` → expect `2025-09-0X`. ([Android Open Source Project][5])
- Crash triage: `adb logcat | grep -iE "libimagecodec\.quram\.so|Fatal signal|backtrace"`
- (Optional) Inspect presence/paths of vendor codec libs:
`adb shell ls -l /vendor/lib64/libimagecodec.quram.so || ls -l /system/lib64/libimagecodec.quram.so` (Presence alone ≠ vulnerable/patched; use patch level as the source of truth—Samsung doesn’t publish per-file versions in the bulletin.) ([Samsung Mobile Security][1])
14) “Am I patched?” quick table
| Device shows… | What it means | Action |
|---|
| Android security update: 2025-09-05 | You have the complete September patch level | ✅ Good; verify SMR says September 2025 |
| Android security update: 2025-09-01 | You have the baseline September patch level | ✅ Temporarily acceptable; still includes SMR Sep-2025 R1 on Samsung if offered for your model |
| August 2025 or earlier | Vulnerable until OEM SMR is installed | ❌ Update immediately |
Google defines the 01/05 patch levels; Samsung’s SMR Sep-2025 R1 is the vendor package that contains the CVE-2025-21043 fix. ([Android Open Source Project][5])
References (primary)
- Samsung Mobile Security — SMR Sep-2025 Release 1 (lists CVE-2025-21043, Critical, Android 13–16, reported 2025-08-13, and “exploit … existed in the wild.” Also credits Meta & WhatsApp Security Teams). ([Samsung Mobile Security][1])
- BleepingComputer — reports active exploitation, WhatsApp/Meta credit, and risk to other messengers using the system codec. ([BleepingComputer][2])
- Android Security Bulletin — September 2025 — explains 2025-09-01/05 patch-level semantics for validation. ([Android Open Source Project][5])
- Rollout context — Samsung September SMR announcement/tracker posts showing early-September waves to devices (e.g., S23). ([SamMobile][3])
- Historical background — Project Zero’s Qmage research on Samsung image codecs and attack surface.
Tell me your exact Galaxy model and the security patch level it shows in Settings; I’ll map it to current rollout notes and tell you whether you’re covered or need to escalate patching.