The exploit chain, end to end
The Chain
A crafted DNG travels from an attacker's WhatsApp identity to arbitrary code inside the victim's ImageIO process — with no tap, no preview, no user interaction at any stage. Scrub the timeline or click a stage to inspect it.
Stage
01
/
05
00
Attacker
Craft DNG + sync message
01
WhatsApp
Linked-device protocol
CVE-2025-55177 · CWE-863
Authz Bypass
Sync accepted without auth
CVE-2025-43300 · CWE-787
ImageIO
DNG parser OOB write
RCE
Code in parser process
For the heap corruption primitive in stage 03, see
the heap lab.
For the linear stack-smashing analogue, see
the stack lab.
Public patch excerpts for analogous bugs in open-source parsers:
patches.