An out‑of‑bounds read flaw (CWE-125) exists in Samsung’s libimagecodec.quram.so. The vulnerability permits a remote attacker to read memory locations beyond the intended buffer, potentially exposing sensitive data stored in device memory.

Samsung Mobile Devices running Android 13.0, 14.0, 15.0 and 16.0 across a broad range of SMR update streams are affected. All versions prior to SMR Jan‑2026 Release 1 are vulnerable, including monthly, seasonal and quarterly releases from early 2021 through the August, October and December updates of 2025.

With a CVSS score of 5.3, this vulnerability is considered moderate. The EPSS score is below 1 %, indicating a low likelihood of immediate exploitation, and Samsung has not listed it in the CISA KEV catalog. The likely attack vector is inferred to be remote, requiring an attacker to trigger the vulnerable library, which could be achieved via malicious media files or other inputs that load the library. Although it does not enable direct code execution, the potential data leakage could be leveraged in combination with other weaknesses to facilitate more sophisticated attacks. The overall risk to an organisation is low to moderate but warrants timely patching to prevent possible information disclosure.