RCE
Actively exploited CVE-2025-21043 lets attackers run code via Samsung’s Quram im...
Samsung fixed a **critical remote-code-execution** bug in the Quramsoft image codec (`libimagecodec.quram.so`) used on Galaxy devices. The flaw—an **Out-of-Bounds Write**—is patched in **SMR Sep-2025 Release 1** and was **exploited in the wild** before disclosure. Samsung credits **Meta & WhatsApp Security Teams** (report date **2025-08-13**). **Patch immediately** to the **September 2025** security level (or later).
Media coverage underscores that **any messenger or app that relies on the system image parser** (not just WhatsApp) could be a delivery vector for a malicious image.
### Vulnerability details
* **CVE:** CVE-2025-21043
* **Component:** Quramsoft image codec (`libimagecodec.quram.so`)
* **Type / CWE:** Out-of-Bounds Write (**CWE-787**) → memory corruption → potential RCE
* **Severity:** **Critical** (Samsung)
* **Affected OS on Samsung builds:** **Android 13–16**
* **Fix:** Included in **SMR Sep-2025 Release 1**
* **Exploit status:** **“Exploit … has existed in the wild.”** (Samsung)
* **Reporter credit:** **Meta & WhatsApp Security Teams** (reported **2025-08-13**)
All of the above are specified in Samsung’s security bulletin entry for SVE-2025-1702 / CVE-2025-21043. ([Samsung Mobile Security][1])
> **Why it matters:** Image codecs often process **untrusted content automatically** (previews, thumbnailers, notifications). One malformed image can crash the decoder or, with a working exploit, **run attacker code** in the decoder’s process. Coverage notes **other messengers using the system codec** may be exposed—not just WhatsApp. ([BleepingComputer][2])
### Timeline (UTC)
* **2025-08-13:** Samsung receives report from **Meta & WhatsApp**. ([Samsung Mobile Security][1])
* **2025-09-03 → 2025-09-12:** **September 2025 SMR** announced and begins rolling out to models/regions (ongoing staggered release). Community trackers and press confirm early-September waves across multiple devices. ([SamMobile][3])
* **2025-09-12:** Public reporting highlights active exploitation and WhatsApp/Meta credit. ([BleepingComputer][2])
### Threat model & likely attack paths
**Primary vector:** Delivery of a **malicious image** that triggers decoding paths eventually invoking `libimagecodec.quram.so`. Apps that **delegate image parsing to the OS/vendor codecs** inherit the risk.
**Common touchpoints** (high-exposure first):
1. **Messaging**: MMS/RCS; OTT messengers (auto-download, previews, notification thumbs).
2. **System components**: Gallery, MediaScanner, indexers/thumbnailers, ShareSheet.
3. **Browsers & Email**: Inline image rendering, preview panes.
BleepingComputer emphasizes that **other messengers besides WhatsApp** may be susceptible if they use the system codec. ([BleepingComputer][2])
---
# 4) Root-cause clarity (what’s known vs. inferred)
* **Confirmed (Samsung):** **Out-of-Bounds Write** in the Quramsoft codec; fixed by correcting an “incorrect implementation.” No format or trigger details disclosed. ([Samsung Mobile Security][1])
* **Context (inference, not specific to this CVE):** Historically, Quram/Qmage bugs involved **size/stride miscalculation** and **insufficient metadata validation**, enabling heap corruption and even **zero-click MMS** attacks on Samsung devices. Treat this as background, not proof for CVE-2025-21043. ([Project Zero][4])
**Exploitability factors to keep in mind (general):**
Modern Android hardening (ASLR, CFI, PAC/MTE on some SoCs, process sandboxing) raises difficulty but **doesn’t preclude** reliable RCE chains. Exact exploit quality/sandbox impact here are **undisclosed**.
---
# 5) Impact assessment
* **Worst-case:** **Network-reachable RCE** when the image is parsed, leading to code execution within the decoder’s process context. Additional bugs or misconfigurations would be required for broader device compromise. (RCE status per Samsung.) ([Samsung Mobile Security][1])
* **Breadth:** Any Galaxy device on **pre-SMR Sep-2025** builds and using vendor image paths is at risk until patched; rollout is staggered by model/region/carrier. Trackers highlight that **September SMR** is actively shipping. ([SamMobile][3])
---
# 6) Exposure verification & validation
## 6.1 “Am I safe?” quick check (on-device)
* Go to **Settings → About phone → Android version → Android security update**.
* If it shows **September 1, 2025** or **September 5, 2025** (or a later month), you have the corresponding Android patch level; Samsung’s SMR includes these plus Samsung fixes. Google states that **2025-09-05** includes all issues in **2025-09-01** and earlier. ([Android Open Source Project][5])
* Samsung’s bulletin explicitly says **SMR Sep-2025 Release 1** includes the fix for **CVE-2025-21043**. ([Samsung Mobile Security][1])
> **Rule of thumb:** On Samsung, a device showing **“September 2025”** with **SMR Sep-2025 R1** is **covered** for CVE-2025-21043.
## 6.2 ADB/MDM checks (fleet)
* **Read patch string:**
`adb shell getprop ro.build.version.security_patch` → expect `2025-09-01` or `2025-09-05` (or later). ([Android Open Source Project][5])
* **Model-specific rollout:** Confirm availability for particular SKUs/regions using Samsung community/tracker posts (e.g., **S23 series S918BXXS8DYI3** reported live). Use as **availability signal**, not authoritative coverage. ([Droid Life][6])
---
# 7) Detection & triage guidance (blue team)
> Focus on **decoder crashes** and **media-ingestion correlations**. Don’t expect IOCs yet; content is often **E2EE**.
1. **Crash/tombstone review on test or enrolled devices**
* Pull `/data/tombstones/` (`tombstone_*.txt`).
* Look for processes loading **`libimagecodec.quram.so`** with crashes around image receipt/preview (e.g., **SIGSEGV/SIGABRT**, heap corruption markers).
* Correlate timestamps with incoming media (messaging push, notification arrivals, gallery indexing).
2. **Logcat spot-checks** (developer/test devices)
* `adb logcat | grep -iE "libimagecodec\.quram\.so|Fatal signal|backtrace"`
3. **MDM/EDR telemetry (where present)**
* Alerts on repeated **media decode faults**, **abnormal child processes** spawned by media frameworks, or **RWX/JIT anomalies** inside media processes.
4. **Threat intel tracking**
* Monitor the **Samsung SMR page** for updates; watch reporting threads for sample hashes or exploit indicators once (if) they become public. ([Samsung Mobile Security][1])
---
# 8) Immediate mitigations & hardening
**Top priority: patch to SMR Sep-2025 R1+ now.** Users: **Settings → Software update → Download and install**. Enterprises: push via **MDM** compliance policy. ([Samsung Mobile Security][1])
**Until patched:**
* **Messaging controls:** Disable **auto-download/auto-preview** of images where policy allows; restrict unknown senders. (Media outlets warn other messengers using system codecs could be targeted.) ([BleepingComputer][2])
* **MDM baselines:** Require **security patch ≥ 2025-09-01** (prefer **2025-09-05**), block devices below that level; enforce **Play Protect**, restrict sideloading. ([Android Open Source Project][5])
* **Network caveat:** For E2EE messengers, server-side content rewrites/stripping won’t apply; rely on **endpoint** controls and rapid patching.
---
# 9) Developer guidance (apps & enterprise toolmakers)
* If your app **defers to system image decoders** (Java/Kotlin `BitmapFactory`, `ImageDecoder`, or native via NDK that calls into vendor libs), your app inherits platform risk. Ship **app updates** promptly (even if only to gate risky auto-previews behind user action) until fleet patching reaches critical mass. Coverage flags that **system-codec users** are exposed. ([BleepingComputer][2])
* Avoid introducing alternate native image parsers **unless** they are proven, memory-safe, and well-maintained—rolling your own parser typically **increases** risk.
* Expand **fuzzing** against image inputs in CI and consider **content triage** (e.g., size/dimension caps) before decoding. Historical Quram/Qmage work shows how metadata misparsing leads to corruption. ([Project Zero][4])
---
# 10) Validation plan (post-patch)
1. **Confirm patch level** (Section 6).
2. **Negative testing:** Re-ingest previously crashing images (if any were captured internally) on a **fully patched** test device. **Do not** share or re-distribute suspect samples.
3. **Stability watch:** No new tombstones for media pipelines over 72h of normal use across patched pilot group.
4. **Close incident** when fleet compliance ≥ agreed threshold (e.g., **95% patched**), with exception-handling for stragglers.
---
# 11) Risk scoring & policy
* **Severity:** **Critical** (vendor). Treat as **Priority-1** because of **confirmed in-the-wild exploitation**. Samsung didn’t publish a CVSS; don’t rely on third-party estimates for gating decisions. ([Samsung Mobile Security][1])
---
# 12) Open questions (track & update)
* Which **image formats** and specific parser paths are affected?
* **Triggering requirements** (zero-click via auto-thumbnailing vs. open)?
* **Exploit chain** details (sandbox escape/priv-esc)?
* **Public technical write-ups / PoC?** (None official at time of writing.)
Samsung’s bulletin and reputable reporting are the **authoritative** sources for now. ([Samsung Mobile Security][1])
---
# 13) Ops playbooks & copy-paste blocks
## 13.1 End-user comms (short)
> We’re deploying the **September 2025 security update** to Galaxy devices due to a **critical image-parsing vulnerability (CVE-2025-21043)** that is **actively exploited**. Please go to **Settings → Software update → Download and install** and apply the update today. Until you’re patched, avoid opening images from unknown contacts and disable auto-download of media in messaging apps. ([Samsung Mobile Security][1])
## 13.2 SOC hunt checklist
* [ ] Pull recent **tombstones**; flag crashes mentioning `libimagecodec.quram.so`.
* [ ] Correlate with **inbound image receipt** times in messengers.
* [ ] Triage any **repeatable** crash sequences on **pre-patch** devices; escalate if persistence or unusual child processes observed.
* [ ] Track fleet **patch compliance** daily until ≥ 95%.
## 13.3 MDM compliance policy
* **Minimum Android security patch:** **`2025-09-05`** (preferred) or **`2025-09-01`** (temporary). Devices below are **non-compliant**. (Patch-level semantics per Google’s ASB.) ([Android Open Source Project][5])
* **Controls:** Disable image auto-download in corporate messengers (where configurable), enforce **Play Protect**, block sideloading, and require **full-disk encryption**.
## 13.4 Engineer notes (test devices)
* **Read patch level:** `adb shell getprop ro.build.version.security_patch` → expect `2025-09-0X`. ([Android Open Source Project][5])
* **Crash triage:** `adb logcat | grep -iE "libimagecodec\.quram\.so|Fatal signal|backtrace"`
* **(Optional)** Inspect presence/paths of vendor codec libs:
`adb shell ls -l /vendor/lib64/libimagecodec.quram.so || ls -l /system/lib64/libimagecodec.quram.so`
(Presence alone ≠ vulnerable/patched; use **patch level** as the source of truth—Samsung doesn’t publish per-file versions in the bulletin.) ([Samsung Mobile Security][1])
---
# 14) “Am I patched?” quick table
| Device shows… | What it means | Action |
| --------------------------------------- | ------------------------------------------- | --------------------------------------------------------------------------------------------- |
| **Android security update: 2025-09-05** | You have the complete September patch level | ✅ Good; verify SMR says September 2025 |
| **Android security update: 2025-09-01** | You have the baseline September patch level | ✅ Temporarily acceptable; still includes SMR Sep-2025 R1 on Samsung if offered for your model |
| **August 2025 or earlier** | Vulnerable until OEM SMR is installed | ❌ Update immediately |
Google defines the **01/05** patch levels; Samsung’s **SMR Sep-2025 R1** is the vendor package that contains the **CVE-2025-21043** fix. ([Android Open Source Project][5])
---
# References (primary)
* **Samsung Mobile Security — SMR Sep-2025 Release 1** (lists **CVE-2025-21043**, **Critical**, **Android 13–16**, **reported 2025-08-13**, and **“exploit … existed in the wild.”** Also credits **Meta & WhatsApp Security Teams**). ([Samsung Mobile Security][1])
* **BleepingComputer** — reports active exploitation, WhatsApp/Meta credit, and risk to other messengers using the system codec. ([BleepingComputer][2])
* **Android Security Bulletin — September 2025** — explains **2025-09-01/05** patch-level semantics for validation. ([Android Open Source Project][5])
* **Rollout context** — Samsung September SMR announcement/tracker posts showing early-September waves to devices (e.g., S23). ([SamMobile][3])
* **Historical background** — Project Zero’s **Qmage** research on Samsung image codecs and attack surface (context only). ([Project Zero][4])
---
## Want device-specific guidance?
Tell me your **exact Galaxy model** and the **security patch level** it shows in **Settings**; I’ll map it to current rollout notes and tell you whether you’re covered or need to escalate patching.
[1]: https://security.samsungmobile.com/securityUpdate.smsb "Samsung Mobile Security"
[2]: https://www.bleepingcomputer.com/news/security/samsung-patches-actively-exploited-zero-day-reported-by-whatsapp/ "Samsung patches actively exploited zero-day reported by WhatsApp"
[3]: https://www.sammobile.com/news/samsung-monthly-updates-september-2025-security-patch-is-a-big-one/?utm_source=chatgpt.com "Samsung monthly updates: September 2025 security patch ..."
[4]: https://googleprojectzero.blogspot.com/2020/07/mms-exploit-part-1-introduction-to-qmage.html?utm_source=chatgpt.com "MMS Exploit Part 1: Introduction to the Samsung Qmage ..."
[5]: https://source.android.com/docs/security/bulletin/2025-09-01?utm_source=chatgpt.com "Android Security Bulletin—September 2025"
[6]: https://www.droid-life.com/2025/09/11/samsung-september-updates-roll-out/?utm_source=chatgpt.com "Samsung September Updates Roll Out to These Devices"
