Overview

• Samsung’s September 2025 Release 1 update fixes CVE-2025-21043, an out-of-bounds write in libimagecodec.quram.so that enabled remote code execution.
• The company confirmed an exploit existed in the wild before the fix, assigning the flaw a critical severity with a CVSS score of 8.8.
• Devices running Android 13 through 16 are affected, and the issue was privately reported by Meta and WhatsApp on August 13.
• Because the vulnerable codec is a third-party component, other messaging apps that use it could also be exposed to similar exploitation.
• Separately, WhatsApp previously patched a zero-click client bug (CVE-2025-55177) linked to an Apple zero-day and notified some targeted users, urging updates, device checks, and in some cases factory resets.