search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Samsung Qmage codec for Android Skia library does not properly validate image files

Vulnerability Note VU#366027

Original Release Date: 2020-05-14 | Last Revised: 2020-05-15


The Samsung Qmage codec used in the Android Skia library does not properly validate image files. A number of memory corruption vulnerabilities allow an attacker to execute arbitrary code by causing a vulnerable system to parse a Qmage file.


The Samsung May 2020 Android Security Update notes that "a possible memory overwrite vulnerability in Quram qmg library allows possible remote arbitrary code execution." Samsung identifies this vulnerability as SVE-2020-16747, more commonly known as CVE-2020-8899. Google Project Zero performed extensive fuzz testing on the Qmage (or Quram, or qmg) code that Samsung added to the Android Skia library and identified 5218 uniquely crashing test cases. At least one of these memory corruption vulnerabilities can be exploited by sending a specially crafted MMS message to a vulnerable system.

Samsung notes that versions O(8.X), P(9.0), Q(10.0) are affected.


Exploitation of this vulnerability permits a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.


Apply an update

Samsung has released fixes in the May 2020 Android Security Update.

Vendor Information


Samsung Affected

Updated:  May 14, 2020



Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

CVSS Metrics

Group Score Vector
Base 10 AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal 7.8 E:POC/RL:OF/RC:ND
Environmental 7.8 CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND



This vulnerability was published by Mateusz Jurczyk at Google Project Zero.

This document was written by Eric Hatleback.

Other Information

CVE IDs: CVE-2020-8899
Date Public: 2020-01-28
Date First Published: 2020-05-14
Date Last Updated: 2020-05-15 14:53 UTC
Document Revision: 12

Sponsored by CISA.