Samsung has shipped an urgent fix for a zero‑day vulnerability that was found to affect devices from its Galaxy range, and you need to apply it as soon as it lands on your phone.
Tracked as CVE‑2025‑21043, the bug exists in an image parsing component and has been actively exploited in the wild, according to Samsung and security teams at Meta — formerly Facebook — and WhatsApp, who privately disclosed this flaw.
Unpatched, the flaw could allow a remote attacker to execute arbitrary code on a target device — one of the worst‑case scenarios for mobile. In other words, an image file painstakingly constructed by the attacker and processed by your phone could be all that’s needed to compromise it.
What was patched, and who stands to lose
CVE‑2025‑21043 is an out‑of‑bounds write in libimagecodec.quram.so, a Samsung image decoding library implemented on devices. The issue received a critical base score of 8.8 from Samsung Mobile Security, which also verified the presence of an exploit. The firm says eligible, supported Galaxy devices running recent Android versions such as Android 13, 14, 15, and 16 should expect to get the package through the corresponding, most recent SMR (Security Maintenance Release).
Because this vulnerability is in the image‑processing pipeline, the exposure isn’t limited to a single app. Any service that works with untrusted images — messaging clients, email, social media, or even previews in the browser — can be an attack surface if the underlying library contains a security vulnerability.
The affected library is from Quramsoft, whose codecs are used widely in Samsung’s own software stack. This class of bug frequently allows what are called zero‑click exploits, meaning no user interaction is necessary other than for the device to receive or process the malevolent content.
The danger of image parsing bugs on mobile devices
Media parsers are low‑level and deal with very complicated file formats. A simple memory error can lead to device takeover. The stakes are a familiar sight: A past image‑related bug on Samsung phones (CVE‑2020‑8899) was capable of remote code execution through a malicious MMS with no user interaction, and more generally, investigations by Citizen Lab as well as research by Google’s Project Zero have shown how imaging and media bugs continue to be leveraged in targeted operations.
It’s also juxtaposed with similar cross‑platform hardening. Apple had previously addressed a similar image processing vulnerability, CVE‑2025‑43300, which is an arbitrary code execution vulnerability caused by malicious image files. WhatsApp’s security team also reported that it had fixed a flaw that could cause content from an arbitrary URL to be processed when received in a WhatsApp message on the device of the targeted user; according to the company, when combined with Apple’s flaw it seemed as though attackers were mounting a highly targeted attack against certain users. Though there is no evidence that Samsung’s vulnerability can be chained in a similar manner, the overlap serves to reinforce the urgency of addressing it.
How to update and minimize your exposure
- Update as soon as the Samsung SMR is available on your device. On most Galaxy phones, head to Settings > Software update > Download and install, and turn on Auto download over Wi‑Fi to make sure you get patches as quickly as carriers and regions allow the rollout.
- Then close the holes around this core patch: You should refresh apps from Galaxy Store as well as Play Store, and make sure that you update Google Play system components (Settings > Security and privacy > Updates > Google Play system update), and keep Play Protect enabled.
Be especially careful with untrusted media until you have updated. You should also consider switching off auto media download on your instant messaging apps and avoid opening pictures from unknown contacts. These measures aren’t a cure for the underlying bug, but they can narrow the attack surface.
What security teams are telling us about this flaw
Now, we know for a fact that this vulnerability has been exploited already because of Samsung’s official announcement, and that is why this patch is considered higher‑priority across all the supported models.
The teams from Meta and WhatsApp privately reported the flaw, a standard path in coordinated disclosure designed to offer device makers time to ship fixes before attackers can scale their campaigns.
Considering how rapidly zero‑days go from targeted to broad criminal application, I anticipate security agencies and incident responders will keep an eye out for signs of weaponization. For fleet‑managed Galaxy devices: This update is being made available by individual fleets and should be treated as an emergency change window — ensure that the patch was deployed successfully through your MDM or EMM dashboard.
The bottom line on Samsung’s critical zero‑day fix
This is a critical, actively compromised vulnerability in a core graphics component. If you have a Samsung phone, download the newest security update when it is available to you and stay up to date on your apps and Play system components. One of the most useful things you can do to keep attackers out of your device is to patch quickly.