www.belgium.be Logo of the federal government

Samsung Android multiple 0-click RCEs and other remote access issues in Qmage image codec

Advisory #2020-016
Affected software: 
Samsung Android OS versions 8.x
Samsung Android OS versions 9.0
Samsung Android OS versions 10.0
Remote Code Execution (RCE)

- CVE-2020-8899
- SVE-2020-16747
- CVSSv3 10.0




An unauthenticated attacker can send a specially crafted MMS message to a vulnerable Android phone, which will trigger a buffer overflow within the Quram image codec leading to an arbitrary remote code execution without the need for user interaction.


There is a buffer overflow vulnerability present in the Quram qmg library used within Android OS for the handling of certain images.

This issue makes it possible for an unauthorized attacker to embedded a payload within a custom made MMS message. Vulnerable phones will then perform arbitrary remote code execution on the root level without any user interaction. All devices sold starting from 2015 are susceptible for this attack, but to perform this attack an adversary will need to send multiple MMS messages to fully exploit the device.

Recommended Actions

CERT.be recommends installing the latest updates for Samsung devices to resolve this issue and many other vulnerabilities.

As an extra measure, you could consider restricting the processing of MMS messages on your phone, if applicable to your need for this service. Instructions on how to do this can be found here: