Samsung Galaxy flaws exposed remote image RCE and SystemUI privilege escalation
Samsung disclosed multiple vulnerabilities affecting Galaxy devices, including remote code execution flaws in the proprietary Quram image codec and a separate improper access control bug in the Routines automation feature. CVE-2025-21042 and CVE-2025-21043 are out-of-bounds write issues in libimagecodec.quram.so that can be triggered by specially crafted images delivered through MMS, email attachments, messaging apps, or web content, potentially with little or no user interaction. Samsung said CVE-2025-21042 was fixed in the April 2025 Security Maintenance Release, while CVE-2025-21043 was addressed in the September 2025 SMR.
The disclosures revive longstanding concerns around Samsung’s proprietary image parsing stack, which Google Project Zero previously showed could be exploited through malformed Qmage images in a zero-click MMS chain that achieved code execution on a Galaxy Note 10+. Samsung also patched CVE-2025-21058, which allowed a local attacker on Android 15 and 16 devices to execute arbitrary code with SystemUI privileges via Galaxy Routines before versions 4.8.7.1 and 4.9.6.0. Separately, Google fixed Android framework flaw CVE-2025-32322 in the September 2025 Android Security Bulletin after it was found to let a malicious app bypass the MediaProjection consent dialog and silently capture screen content on Android 13 and 14.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
Samsung discloses and fixes CVE-2025-21058 in Routines
Samsung disclosed CVE-2025-21058 in October 2025 and fixed the improper access control flaw in Galaxy Routines by adding authorization checks in versions 4.8.7.1 for Android 15 and 4.9.6.0 for Android 16.
Samsung patches CVE-2025-21043 in September 2025 SMR
Samsung addressed CVE-2025-21043, a high-severity out-of-bounds write in the Quram image codec that could enable remote code execution through crafted images delivered by MMS, email, or web content, in its September 2025 Security Maintenance Release.
Samsung fixes CVE-2025-21042 in April 2025 SMR
Samsung addressed CVE-2025-21042, an out-of-bounds write in libimagecodec.quram.so that could enable remote code execution via crafted images, in the April 2025 Security Maintenance Release.
Google fixes MediaProjection bypass in September 2025 bulletin
Google confirmed CVE-2025-32322 in the September 2025 Android Security Bulletin and fixed the MediaProjection consent-dialog bypass in security patch level 2025-09-05.
Samsung patches Qmage vulnerabilities under CVE-2020-8899
Samsung patched the reported Qmage codec flaws in May 2020, tracking them under CVE-2020-8899 and SVE-2020-16747.
Project Zero reports multiple Qmage flaws to Samsung
Mateusz Jurczyk reported numerous memory corruption vulnerabilities in Samsung’s Qmage codec to Samsung in January 2020 after analyzing the proprietary image format and its attack surface.
Qmage codec integrated into Samsung devices
Google Project Zero reported that Samsung’s proprietary Qmage image codec had been deeply integrated into Samsung Android devices through the Skia graphics stack since late 2014, creating a broad attack surface for image parsing.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
Samsung Routines CVE-2025-21058: Brief Summary of Improper Access Control in Android 15 and 16 - ZeroPath Blog | ZeroPath
zeropath.com
Open sourceSamsung Quram Image Codec CVE-2025-21043 Out-of-Bounds Write: Brief Summary and Technical Review - ZeroPath Blog | ZeroPath
zeropath.com
Open sourceCVE-2025-21042 in Samsung libimagecodec.quram.so: Brief Summary of a Critical Out-of-Bounds Write Vulnerability - ZeroPath Blog | ZeroPath
zeropath.com
Open sourceAndroid MediaProjection Screen Recording Bypass (CVE-2025-32322): Brief Summary and Technical Review - ZeroPath Blog | ZeroPath
zeropath.com
Open sourceMMS Exploit Part 1: Introduction to the Samsung Qmage Codec and Remote Attack Surface - Project Zero
googleprojectzero.blogspot.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Samsung patches three Exynos NPU driver flaws enabling Android privilege escalation
Samsung has patched three high-severity vulnerabilities in the Exynos NPU driver—`CVE-2025-23099`, `CVE-2025-23103`, and `CVE-2025-23107`—that could allow local privilege escalation on affected Galaxy devices. The flaws impact Samsung Galaxy S24+ devices running Android 14 and systems based on Exynos 1480 and 2400 platforms, and each issue is reachable by a malicious application running in the `untrusted_app` SELinux context with low privileges and no user interaction. Samsung assigned a CVSS v3.1 score of 7.8 to the bugs and released fixes through Product Security Updates in early June. The vulnerabilities stem from missing length checks in multiple NPU driver paths, leading to out-of-bounds writes in kernel memory. `CVE-2025-23099` involves queue preparation logic that can reuse smaller prior allocations while trusting larger attacker-controlled counts, `CVE-2025-23103` arises from an unbounded loop counter in `npu_queue_update` that can exceed the allocated `queue_list` size, and `CVE-2025-23107` affects `fill_vs4l_buffer`, which writes kernel-side buffer metadata into an undersized user-supplied structure. STAR Labs SG credited Billy Jheng Bing-Jhong, Muhammad Alifa Ramdhan, and Pan Zhenpeng with reporting the issues.
May 24, 2026
Samsung Galaxy S25 flaws exposed credentials and enabled script execution
Samsung disclosed two **Galaxy S25** vulnerabilities reported through **Pwn2Own** that could be triggered remotely with user interaction. One flaw, **CVE-2025-58486** (`ZDI-26-224` / `ZDI-CAN-28456`), affects the **Samsung Account** application and allows arbitrary script execution in the current `WebView` through a cross-site scripting issue caused by improper validation of user-supplied data. The bug was assigned a **CVSS 6.3** score and was credited to Ken Gannon, 伊藤 剣 (@yogehi) of Mobile Hacking Lab, and Dimitrios Valsamaras (@Ch0pin). A second issue, **CVE-2025-58488** (`ZDI-26-223` / `ZDI-CAN-28331`), affects the **Smart Touch Call** application and can disclose sensitive information, including stored credentials, because of insufficient protection around URL-parameter-driven functionality. That flaw received a **CVSS 5.9** score and was credited to **Interrupt Labs**. In both cases, exploitation requires a victim to visit a malicious page or open a malicious file, and **Samsung has released updates** to remediate the vulnerabilities.
Mar 23, 2026
Qualcomm and Samsung patched critical baseband and firmware flaws in mobile chipsets
Qualcomm disclosed and patched several high-severity chipset vulnerabilities affecting Snapdragon, FastConnect, modem, automotive, and IoT products, including **`CVE-2025-27034`**, **`CVE-2025-21483`**, **`CVE-2025-21427`**, **`CVE-2025-27043`**, and **`CVE-2025-21450`**. The flaws span modem, video, RTP, and GPS/GNSS firmware and include remote code execution, memory corruption, buffer over-read, and man-in-the-middle risks. Reported attack paths include malformed PLMN roaming responses, crafted RTP and video-stream payloads, and unauthenticated interception of GNSS assistance data delivered over HTTP. Several issues require no user interaction and affect low-level firmware, raising the risk of bypassing operating system protections; one Qualcomm modem flaw, `CVE-2025-27034`, was reported as exploited in the wild. Qualcomm addressed the issues through July and September 2025 security updates, with exposure likely to persist where OEM firmware rollout lags. Samsung also issued fixes for multiple **Exynos baseband** vulnerabilities, including **`CVE-2024-55568`**, **`CVE-2025-26781`**, **`CVE-2025-26782`**, and **`CVE-2025-54329`**, affecting smartphones, wearables, and modem products. The bugs include NULL pointer dereference, out-of-bounds operations in RLC AM packet handling, and a heap overflow in the NAS signaling layer that can be triggered by malformed LTE or 5G traffic, Mobility Management packets, or multi-payload NAS messages such as SMS. Successful exploitation can crash or hang the modem, reboot devices, or cut off cellular service, and some flaws may be reachable through rogue base stations or compromised network infrastructure before higher-layer authentication or encryption takes effect. Samsung shipped patches in its October and November 2025 security updates, continuing a pattern of baseband security issues previously highlighted in Exynos modem research.
Jun 12, 2026