Samsung has released a security update for CVE-2025-21043, a zero-day vulnerability rated CVSS 8.8 and confirmed as exploited in targeted attacks. The flaw affects Samsung devices running Android 13 and newer and was first reported on 13 August 2025 by security teams at Meta and WhatsApp as part of an ongoing investigation into targeted exploitation.
What happened: critical Android image codec bug in Quramsoft library
According to Samsung’s advisory, the root cause resides in the proprietary Quramsoft image processing component libimagecodec.quram.so. The issue is an out-of-bounds write, a memory corruption bug that occurs when data is written outside allocated memory. In practical terms, a crafted image can trigger a remote code execution (RCE) condition when the vulnerable code parses the file.
Exploitation vector: malicious media and preview parsing
Attackers can deliver the exploit by sending a malicious image or forcing a preview to be rendered by apps that rely on libimagecodec.quram.so. Messaging apps are a likely vector, but any client using the affected library could be at risk. Samsung acknowledges the existence of working exploit code and notes that it has been used in real-world attacks. While WhatsApp was involved in reporting the activity, the vulnerability’s nature suggests potential exposure across multiple apps that process images via the same codec.
Related incidents and coordinated disclosure
Meta’s security team stated that findings from the summer 2025 investigation were shared with industry partners, including Apple and Samsung, to support coordinated remediation. Apple addressed a related issue tracked as CVE-2025-43300 last month, while Samsung also shipped fixes for SVE-2025-1702 alongside its bulletin for CVE-2025-21043.
Separately, WhatsApp patched another zero-click bug, CVE-2025-55177, in its iOS and macOS clients in late August. Reports indicate it was combined with CVE-2025-43300 as part of a sophisticated, targeted attack chain against select users. Notifications to impacted individuals recommended a full device reset to factory settings and keeping operating systems and apps fully updated.
Risk assessment: why image parsing bugs are high impact
The CVSS 8.8 score reflects the vulnerability’s remote reachability and its ability to enable arbitrary code execution. Image parsing bugs are particularly dangerous because they can be triggered by seemingly benign actions like receiving a message or rendering a preview. Historical incidents such as Android’s Stagefright (2015) and the iMessage FORCEDENTRY chain (2021) show how media pipelines can be abused for stealthy, zero-click compromises of high-value targets, including journalists, civil society members, and enterprise staff with access to sensitive data.
Mitigation: steps for users and enterprises
Update immediately. Install the latest Samsung firmware and security patches. Verify your Android Security Patch Level in device settings and ensure it matches the most recent release available for your model.
Limit media auto-downloads. Temporarily disable automatic saving of images and videos in messaging apps, particularly on corporate devices. This reduces the chance of passive exploitation via thumbnails or previews.
Harden messaging apps. Keep WhatsApp and other messengers fully up to date. Remove redundant or rarely used clients. Organizations should enforce MDM/EMM policies to block outdated versions and control update cadence.
Monitor and respond. Watch for unusual crashes in media-handling apps, unexpected reboots, or spikes in network activity. If compromise is suspected, isolate the device, back up data, and consider a factory reset followed by restoration from a trusted backup.
CVE-2025-21043 reinforces a consistent pattern in mobile threat activity: attackers frequently target media parsers and chain multiple zero-days to escalate privileges and maintain persistence. Prompt OS and app updates, reduced exposure through media settings, and disciplined device hygiene remain the most effective defenses. Check your Samsung device for the latest security update today and ensure all messaging apps are current to minimize risk.
