Skip to main content

Samsung Quram Codec CVE-2026-21045

| EUVDEUVD-2026-42816 HIGH
2026-07-10 mobile.security@samsung.com GHSA-rw4v-99fx-2m8m
8.3
CVSS 4.0 · Vendor: samsung
Share

Severity by source

Vendor (samsung) PRIMARY
8.3 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.5 MEDIUM

Remote crafted image but reaching the TIFF parser is a real precondition, so AC:H; no auth or interaction (PR:N/UI:N); memory-write gives I:H, minor A:L, no C impact.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (samsung).

CVSS VectorVendor: samsung

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jul 10, 2026 - 05:41 vuln.today

DescriptionCVE.org

Out-of-bounds write in parsing TIFF format in libimagecodec.media.quram.so prior to SMR Jul-2026 Release 1 allows remote attackers to write out-of-bounds memory.

AnalysisAI

Out-of-bounds memory write in the Quram image codec (libimagecodec.media.quram.so) used by Samsung mobile devices allows remote attackers to corrupt memory while the library parses a malformed TIFF image, affecting builds prior to SMR Jul-2026 Release 1. Reported by Samsung's own mobile security team, the flaw carries a CVSS 4.0 base score of 8.3 (High) with a network vector and no privileges or user interaction required, though an attack requirement (AT:P) indicates a specific precondition. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malicious TIFF image
Delivery
Deliver via message or web to Samsung device
Exploit
Quram library parses TIFF
Execution
Trigger out-of-bounds write
Impact
Corrupt decoding-process memory

Vulnerability AssessmentAI

Exploitation Exploitation requires the target device to decode an attacker-crafted TIFF image through the Quram codec (libimagecodec.media.quram.so) on a build below SMR Jul-2026 Release 1 - the specific trigger is TIFF-format parsing, not arbitrary image handling. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are moderately consistent: the CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N) points to remote, unauthenticated, no-interaction reachability, but the AT:P flag signals a genuine attack requirement - the target must actually receive and decode the malicious TIFF through a path that reaches the Quram parser, which is not guaranteed on every device or messaging configuration. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a malicious TIFF image with manipulated header/offset fields and delivers it to a target device through a messaging attachment, malicious webpage, or app that triggers image decoding by the Quram library. When the platform parses the TIFF, the out-of-bounds write corrupts adjacent memory in the decoding process; given AC:L, the trigger is reliable once the parser is reached, though the AT:P precondition means the specific delivery/decode path must be exercised. …
Remediation Vendor-released patch: SMR Jul-2026 Release 1 - apply the July 2026 Samsung Maintenance Release (or later) via the device's software update mechanism as the primary fix, consulting the advisory at https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=07 for the exact patch level and covered models. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Inventory all Samsung mobile devices using MDM/asset management tools, identify devices running builds prior to SMR Jul-2026 Release 1, and establish monitoring for device crashes or unexplained reboots. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-21045 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy