Critical zero-day vulnerability in Samsung Galaxy

Nov. 17, 2025

November 2025, a critical zero-day vulnerability in Samsung Galaxy devices, tracked as CVE-2025-21042, was disclosed as having been actively exploited by sophisticated commercial spyware known as LANDFALL. The flaw was an out-of-bounds write vulnerability in Samsung's image processing library, libimagecodec.quram.so, which allowed for zero-click Remote Code Execution (RCE).

Key Details of the Vulnerability

• CVE ID: CVE-2025-21042.

• Vulnerability Type: Out-of-bounds write in an image decoding library.

• Attack Method: Attackers sent a maliciously crafted DNG (Digital Negative format) image file, likely via apps such as WhatsApp, that could compromise the device without any user interaction (zero-click).

• Impact: The spyware enabled comprehensive surveillance, including microphone recording, location tracking, and collection of photos, contacts, and call logs.

• Affected Devices: Specific high-end Samsung Galaxy models, including the Galaxy S22, S23, S24 series, Z Fold4, and Z Flip4, running Android 13, 14, and 15 were impacted.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-21042 to its Known Exploited Vulnerabilities (KEV) catalog on November 10, 2025, requiring federal agencies to apply mitigations or discontinue use of unpatched products by December 1, 2025.

Users of affected Samsung Galaxy devices should take the following actions immediately:

Update your device: Ensure your smartphone's operating system and security patches are up to date. You can check for updates in your device settings.

Go to Settings > Software update > Download and install.

Exercise caution: Avoid opening random messages or image files from unknown contacts.

Stay informed: Monitor official Samsung security advisories and news from reputable cybersecurity sources for future threats. Samsung's security updates are detailed on their Mobile Security page.