CVE-2025-21043
published 2025-09-12CVE-2025-21043: Out-of-bounds write in libimagecodec.quram.so prior to SMR Sep-2025 Release 1 allows remote attackers to execute arbitrary code.
PriorityP186critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2025-10-23
Exploited in the wild
EPSS
1.44%
69.8th percentile
Out-of-bounds write in libimagecodec.quram.so prior to SMR Sep-2025 Release 1 allows remote attackers to execute arbitrary code.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| samsung | android | — | — |
| samsung | android | — | — |
| samsung | android | — | — |
| samsung | android | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Malicious DNG files carry an embedded ZIP archive appended to the end of the file; scan for DNG/JPEG files with a ZIP magic-byte signature (PK\x03\x04) appended after the image data. ↗
- →Delivery filenames follow WhatsApp naming conventions (e.g., 'WhatsApp Image YYYY-MM-DD at H.MM.SS PM.jpeg' and 'IMG-YYYYMMDD-WA000X.jpg'); alert on receipt of DNG/JPEG files matching these patterns via messaging apps. ↗
- →The exploit extracts and executes .so files (b.so, l.so) from the embedded ZIP archive; monitor for unexpected shared-object library drops and execution from messaging app cache/temp directories on Samsung Android devices. ↗
- →The SELinux policy manipulator component (l.so) is delivered as an XZ-compressed ELF binary; detect XZ-compressed ELF payloads dropped by image-processing processes on Samsung devices. ↗
- →The vulnerability is in libimagecodec.quram.so; on Samsung Android 13+ devices, monitor for crashes or anomalous process spawning from this library as an indicator of exploitation attempts. ↗
- ·CVE-2025-21043 affects Samsung devices running Android 13 or later; devices on earlier Android versions or non-Samsung Android are not in scope. ↗
- ·The Unit 42 report primarily documents exploitation of the related CVE-2025-21042 (patched April 2025); CVE-2025-21043 is a distinct but similar flaw in the same library patched in September 2025. IOCs from the LANDFALL campaign are associated with CVE-2025-21042 exploitation, not confirmed CVE-2025-21043 exploitation. ↗
- ·While WhatsApp was the identified delivery channel, other instant messengers using the vulnerable libimagecodec.quram.so image parsing library could also be exploited. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck8.8HIGH
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Samsung Mobile Devices Out-of-Bounds Write Vulnerability
cisa·2025-10-02·CVSS 9.8
CVE-2025-21043 [CRITICAL] CWE-787 Samsung Mobile Devices Out-of-Bounds Write Vulnerability
Vulnerability: Samsung Mobile Devices Out-of-Bounds Write Vulnerability
Affected: Samsung Mobile Devices
Samsung mobile devices contain an out-of-bounds write vulnerability in libimagecodec.quram.so which allows remote attackers to execute arbitrary code.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://security.samsungmobile.com/securityUpdate.smsb?year=2025&month=09 ; https://nvd.nist.gov/vuln/detail/CVE-2025-21043
Remediation Due Date: 2025-10-23
GHSA
GHSA-h4h8-5cww-x7j2: Out-of-bounds write in libimagecodec
ghsa_unreviewed·2025-09-12
CVE-2025-21043 [HIGH] CWE-787 GHSA-h4h8-5cww-x7j2: Out-of-bounds write in libimagecodec
Out-of-bounds write in libimagecodec.quram.so prior to SMR Sep-2025 Release 1 allows remote attackers to execute arbitrary code.
VulnCheck
Samsung Mobile Devices Out-of-Bounds Write Vulnerability
vulncheck·2025·CVSS 8.8
CVE-2025-21043 [HIGH] CWE-787 Samsung Mobile Devices Out-of-Bounds Write Vulnerability
Samsung Mobile Devices Out-of-Bounds Write Vulnerability
Samsung mobile devices contain an out-of-bounds write vulnerability in libimagecodec.quram.so which allows remote attackers to execute arbitrary code.
Affected: Samsung Mobile Devices
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://security.samsungmobile.com/securityUpdate.smsb; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://cyble.com/resources/research-reports/global-cybersecurity-report/; https://www.loginsoft.com/reports/annuall
No detection rules found.
No public exploits indexed.
Mandiant
Look What You Made Us Patch: 2025 Zero-Days in Review
blogs_mandiant·2026-03-05
Look What You Made Us Patch: 2025 Zero-Days in Review
Threat Intelligence
# Look What You Made Us Patch: 2025 Zero-Days in Review
March 5, 2026
##### Google Threat Intelligence Group
##### Google Threat Intelligence
Visibility and context on the threats that matter most.
Contact Us & Get a Demo
Written by: Casey Charrier, James Sadowski, Zander Work, Clement Lecigne, Benoît Sevens, Fred Plan
### Executive Summary
Google Threat Intelligence Group (GTIG) tracked 90 zero-day vulnerabilities exploited in-the-wild in 2025. Although that volume of zero-days is lower than the record high observed in 2023 (100), it is higher than 2024’s count (78) and remained within the 60–100 range established over the previous four years, indicating a trend toward stabilization at these levels.
In 2025, we continued to observe the structural shift, first
Mandiant
Look What You Made Us Patch: 2025 Zero-Days in Review
blogs_mandiant·2026-03-05
Look What You Made Us Patch: 2025 Zero-Days in Review
## Look What You Made Us Patch: 2025 Zero-Days in Review
## Google Threat Intelligence Group
## Google Threat Intelligence
Visibility and context on the threats that matter most.
Written by: Casey Charrier, James Sadowski, Zander Work, Clement Lecigne, Benoît Sevens, Fred Plan
## Executive Summary
Google Threat Intelligence Group (GTIG) tracked 90 zero-day vulnerabilities exploited in-the-wild in 2025. Although that volume of zero-days is lower than the record high observed in 2023 (100), it is higher than 2024’s count (78) and remained within the 60–100 range established over the previous four years, indicating a trend toward stabilization at these levels.
In 2025, we continued to observe the structural shift, first identified in 2024, toward increased enterprise exploitation. Both
Bleepingcomputer
CISA orders feds to patch Samsung zero-day used in spyware attacks
blogs_bleepingcomputer·2025-11-10·CVSS 8.8
CVE-2025-21042 [HIGH] CISA orders feds to patch Samsung zero-day used in spyware attacks
## CISA orders feds to patch Samsung zero-day used in spyware attacks
## Sergiu Gatlan
CISA ordered U.S. federal agencies today to patch a critical Samsung vulnerability that has been exploited in zero-day attacks to deploy LandFall spyware on devices running WhatsApp.
Tracked as CVE-2025-21042 , this out-of-bounds write security flaw was discovered in Samsung's libimagecodec.quram.so library, allowing remote attackers to gain code execution on devices running Android 13 and later.
While Samsung patched it in April following a report from Meta and WhatsApp Security Teams, Palo Alto Networks' Unit 42 revealed last week that attackers had been exploiting it since at least July 2024 to deploy previously unknown LandFall spyware via malicious DNG images sent over WhatsApp.
The spyware is
Bleepingcomputer
New LandFall spyware exploited Samsung zero-day via WhatsApp messages
blogs_bleepingcomputer·2025-11-07·CVSS 8.8
[HIGH] New LandFall spyware exploited Samsung zero-day via WhatsApp messages
## New LandFall spyware exploited Samsung zero-day via WhatsApp messages
## Bill Toulas
According to researchers at Palo Alto Networks’ Unit 42, the LandFall spyware is likely a commercial surveillance framework used in targeted intrusions.
The attacks begin with the delivery of a malformed .DNG raw image format with a .ZIP archive appended towards the end of the file.
Unit 42 researchers retrieved and examined samples that were submitted to the VirusTotal scanning platform starting July 23, 2024, indicating WhatsApp as the delivery channel, based on the filenames used.
From a technical perspective, the DNGs embed two main components: a loader ( b.so ) that can retrieve and load additional modules, and a SELinux policy manipulator ( l.so ), which modifies security settings on the devi
Unit42
LANDFALL: New Commercial-Grade Android Spyware in Exploit Chain Targeting Samsung Devices
blogs_unit42·2025-11-07·CVSS 8.8
CVE-2025-21042 [HIGH] LANDFALL: New Commercial-Grade Android Spyware in Exploit Chain Targeting Samsung Devices
## Executive Summary
Unit 42 researchers have uncovered a previously unknown Android spyware family, which we have named LANDFALL. To deliver the spyware, attackers exploited a zero-day vulnerability (CVE-2025-21042) in Samsung’s Android image processing library. The specific flaw LANDFALL exploited, CVE-2025-21042, is not an isolated case but rather part of a broader pattern of similar issues found on multiple mobile platforms.
This vulnerability was actively exploited in the wild before Samsung patched it in April 2025, following reports of in-the-wild attacks. However, the exploit itself — and the commercial-grade spyware used with it — have not yet been publicly reported and analyzed.
LANDFALL was embedded in malicious image files (DNG file format) that appear to have been sent via
Unit42
LANDFALL: New Commercial-Grade Android Spyware in Exploit Chain Targeting Samsung Devices
blogs_unit42·2025-11-07·CVSS 8.8
CVE-2025-21042 [HIGH] LANDFALL: New Commercial-Grade Android Spyware in Exploit Chain Targeting Samsung Devices
Threat Research Center
Threat Research
Vulnerabilities
## LANDFALL: New Commercial-Grade Android Spyware in Exploit Chain Targeting Samsung Devices
Unit 42
Published: November 7, 2025
Threat Research
Vulnerabilities
Android
Apple
CVE-2025-21042
CVE-2025-21043
CVE-2025-43300
CVE-2025-55177
Samsung
## Executive Summary
Unit 42 researchers have uncovered a previously unknown Android spyware family, which we have named LANDFALL. To deliver the spyware, attackers exploited a zero-day vulnerability (CVE-2025-21042) in Samsung’s Android image processing library. The specific flaw LANDFALL exploited, CVE-2025-21042, is not an isolated case but rather part of a broader pattern of similar issues found on multiple mobile platforms.
This vulnerability was actively exploited in the
Bleepingcomputer
Samsung patches actively exploited zero-day reported by WhatsApp
blogs_bleepingcomputer·2025-09-12·CVSS 8.8
CVE-2025-21043 [HIGH] Samsung patches actively exploited zero-day reported by WhatsApp
## Samsung patches actively exploited zero-day reported by WhatsApp
## Sergiu Gatlan
Samsung has patched a remote code execution vulnerability that was exploited in zero-day attacks targeting its Android devices.
Tracked as CVE-2025-21043, this critical security flaw affects Samsung devices running Android 13 or later and was reported by the security teams of Meta and WhatsApp on August 13.
As Samsung explains in a recently updated advisory , this vulnerability was discovered in libimagecodec.quram.so (a closed-source image parsing library developed by Quramsoft that implements support for various image formats) and is caused by an out-of-bounds write weakness that allows attackers to execute malicious code on vulnerable devices remotely .
"Out-of-bounds Write in libimagecodec.quram.s
Recorded Future
October 2025 CVE Landscape
blogs_recorded_future·CVSS 9.8
[CRITICAL] October 2025 CVE Landscape
# October 2025 CVE Landscape: 32 High-Impact Vulnerabilities Demand Immediate Attention
October 2025 saw a significant escalation in vulnerability activity, with Recorded Future's Insikt Group® identifying 32 high-impact vulnerabilities, double the 16 identified in September's CVE report. Twenty-six of these vulnerabilities scored as Very Critical.
What security teams need to know:
- Microsoft dominates: Eight of 32 vulnerabilities affect Microsoft products, including a critical WSUS deserialization flaw (CVE-2025-59287) now being actively exploited
- CL0P ransomware group exploited an Oracle E-Business Suite zero-day (CVE-2025-61882) for data theft and extortion campaigns
- Legacy vulnerabilities persist: Five of the 14 RCE-enabling vulnerabilities are over a decade old, highlighting c
2025-09-12
Published
2025-10-02
Added to CISA KEV
Exploited in the wild