Overview

• The flaw, tracked as CVE-2025-21043, is an out-of-bounds write in libimagecodec.quram.so with a CVSS 8.8 that enables remote code execution.
• Samsung says devices running Android 13 through 16 are affected, and the fix is being delivered via its September security update without a published model list.
• Meta and WhatsApp privately disclosed the vulnerability to Samsung on August 13 and reported evidence of active exploitation.
• The vulnerable component processes images on Samsung devices, meaning crafted image files could trigger code execution via apps that handle images.
• A related Apple image-processing bug (CVE-2025-43300) was patched earlier, and WhatsApp reports the issues were chained in targeted attacks against specific users.