cbcvebase.
CVE-2025-21043
published 2025-09-12

CVE-2025-21043: Out-of-bounds write in libimagecodec.quram.so prior to SMR Sep-2025 Release 1 allows remote attackers to execute arbitrary code.

PriorityP186critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2025-10-23
Exploited in the wild
EPSS
1.44%
69.8th percentile
Out-of-bounds write in libimagecodec.quram.so prior to SMR Sep-2025 Release 1 allows remote attackers to execute arbitrary code.

Affected

4 ranges
VendorProductVersion rangeFixed in
samsungandroid
samsungandroid
samsungandroid
samsungandroid

Detection & IOCsextracted from sources · hover to see the quote

filenameb.so
filenamel.so
hashffeeb0356abb56c5084756a5ab0a39002832403bca5290bb6d794d14b642ffe2
hashd2fafc7100f33a11089e98b660a85bd479eab761b137cca83b1f6d19629dd3b0
hasha62a2400bf93ed84ebadf22b441924f904d3fcda7d1507ba309a4b1801d44495
hash384f073d3d51e0f2e1586b6050af62de886ff448735d963dfc026580096d81bd
hash211311468f3673f005031d5f77d4d716e80cbf3c1f0bb1f148f2200920513261
hash69cf56ac6f3888efa7a1306977f431fd1edb369a5fd4591ce37b72b7e01955ee
pathlibimagecodec.quram.so
  • Malicious DNG files carry an embedded ZIP archive appended to the end of the file; scan for DNG/JPEG files with a ZIP magic-byte signature (PK\x03\x04) appended after the image data.
  • Delivery filenames follow WhatsApp naming conventions (e.g., 'WhatsApp Image YYYY-MM-DD at H.MM.SS PM.jpeg' and 'IMG-YYYYMMDD-WA000X.jpg'); alert on receipt of DNG/JPEG files matching these patterns via messaging apps.
  • The exploit extracts and executes .so files (b.so, l.so) from the embedded ZIP archive; monitor for unexpected shared-object library drops and execution from messaging app cache/temp directories on Samsung Android devices.
  • The SELinux policy manipulator component (l.so) is delivered as an XZ-compressed ELF binary; detect XZ-compressed ELF payloads dropped by image-processing processes on Samsung devices.
  • The vulnerability is in libimagecodec.quram.so; on Samsung Android 13+ devices, monitor for crashes or anomalous process spawning from this library as an indicator of exploitation attempts.
  • ·CVE-2025-21043 affects Samsung devices running Android 13 or later; devices on earlier Android versions or non-Samsung Android are not in scope.
  • ·The Unit 42 report primarily documents exploitation of the related CVE-2025-21042 (patched April 2025); CVE-2025-21043 is a distinct but similar flaw in the same library patched in September 2025. IOCs from the LANDFALL campaign are associated with CVE-2025-21042 exploitation, not confirmed CVE-2025-21043 exploitation.
  • ·While WhatsApp was the identified delivery channel, other instant messengers using the vulnerable libimagecodec.quram.so image parsing library could also be exploited.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck8.8HIGH
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.