Go straight to the menu Go straight to the text

Android Security Updates

Disclaimer

  • Please note that in some cases regular OS upgrades may cause delays to planned security updates. However, users can be rest assured the OS upgrades will include up-to-date security patches when delivered.
  • While we are doing our best to deliver the security patches as soon as possible to all applicable models, delivery time of security patches may vary depending on the regions and models.
  • Some patches to be received from chipset vendors (also known as Device Specific patches) may not be included in the security update package of the month. They will be included in upcoming security update packages as soon as the patches are ready to deliver.

Acknowledgements

Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process. This SMR package includes patches from Google and Samsung.


Google patches include patches up to Android Security Bulletin – January 2020 package. The Bulletin (January 2020) contains the following CVE items:

Critical
CVE-2019-2242, CVE-2019-10500, CVE-2019-10525, CVE-2019-2204, CVE-2020-0002(O8.x, P9.0)

High
CVE-2019-10513, CVE-2019-10517, CVE-2017-0510, CVE-2017-0648, CVE-2019-10487, CVE-2019-10516, CVE-2019-10607, CVE-2019-15239, CVE-2018-20961, CVE-2018-11980, CVE-2019-10480, CVE-2019-10536, CVE-2019-10537, CVE-2019-10557, CVE-2019-10595, CVE-2019-10598, CVE-2019-10600, CVE-2019-10601, CVE-2019-10605, CVE-2019-2231, CVE-2020-0001(O8.x, P9.0), CVE-2020-0003, CVE-2020-0004, CVE-2020-0006, CVE-2020-0007, CVE-2020-0008, CVE-2019-2218, CVE-2019-2208

Moderate
CVE-2020-0001(Q10.0), CVE-2020-0002(Q10.0)

Already included in previous updates
CVE-2019-2274, CVE-2019-10481, CVE-2019-2304

Not applicable to Samsung devices
CVE-2019-10482, CVE-2019-15220


※ Please see Android Security Bulletin for detailed information on Google patches.


Along with Google patches, Samsung Mobile provides 17 Samsung Vulnerabilities and Exposures (SVE) items described below, in order to improve our customer’s confidence on security of Samsung Mobile devices. Samsung security index (SSI), found in “Security software version”, SMR January-2020 Release 1 includes all patches from Samsung and Google. Some of the SVE items may not be included in this package, in case these items were already included in a previous maintenance release.


SVE-2019-14575: Brute force attack on screen lock password

Severity: High
Affected Versions: O(8.x), P(9.0), Q(10.0) devices with Exynos7885, Exynos8895, Exynos9810 chipsets
Reported on: May 17, 2019
Disclosure status: Privately disclosed
A vulnerable design in Gatekeeper trustlet allows brute force attack on screen lock password. And previous patch caused unexpected side effects that required a fix.
The patch adds exception handling to prevent unexpected close of Gatekeeper trustlet.


SVE-2019-15872: Improper aligned size check leads buffer overflow in secure bootloader

Severity: Critical
Affected Versions: O(8.x), P(9.0), Q(10.0) devices with Exynos chipset
Reported on: October 11, 2019
Disclosure status: Privately disclosed.
An invalid check of usb buffer size in Secure Bootloader allows arbitrary code execution.
The patch adds proper size check logic of usb buffer.


SVE-2019-15876: Stack overflow in the kperfmon driver

Severity: Low
Affected Versions: P(9.0), Q(10.0)
Reported on: October 11, 2019
Disclosure status: Privately disclosed.
A possible stack overflow vulnerability exists in kperfmon driver.
The patch adds proper boundary check logic of kernel buffer length.


SVE-2019-15877: Stack overflow in display driver

Severity: Low
Affected Versions: Selected O(8.x), P(9.0), Q(10.0) devices
Reported on: October 11, 2019
Disclosure status: Privately disclosed.
A possible stack overflow vulnerability in display driver allows arbitrary code execution.
The patch adds the proper validation of the buffer length.


SVE-2019-16010, SVE-2019-16011, SVE-2019-16012: Leakage of cached data in Gallery

Severity: Moderate
Affected Versions: P(9.0)
Reported on: October 25, 2019
Disclosure status: Privately disclosed.
A vulnerability in Gallery allows leakage of cached contents.
The patch moves the cache file to the application's sandbox.


SVE-2019-16088: Stack overflow in Baseband

Severity: Critical
Affected Versions: O(8.x), P(9.0), Q(10.0) devices with Exynos chipsets
Reported on: November 7, 2019
Disclosure status: Privately disclosed.
A possible stack overflow vulnerability in baseband allows arbitrary code execution.
The patch adds the proper validation of the buffer length.


SVE-2019-16161: Kernel stack address leak

Severity: Moderate
Affected Versions: O(8.x), P(9.0), Q(10.0)
Reported on: November 18, 2019
Disclosure status: Privately disclosed.
A vulnerability exposes kernel stack address to userspace.
The patch restricts the capability of the interface to prevent address exposure.


SVE-2019-16192: FRP Bypass using AppTray

Severity: Moderate
Affected Versions: P(9.0)
Reported on: November 25, 2019
Disclosure status: Publicly disclosed.
A vulnerability allows FRP bypass with AppTray.
The patch addressed the issue.

Some SVE items included in the Samsung Android Security Update cannot be disclosed at this time.


Acknowledgements
We truly appreciate the following researchers for helping Samsung to improve the security of our products.

- Chao Cheng Yu of TeamT5: SVE-2019-14575, SVE-2019-15872
- Jianqiang Zhao: SVE-2019-15876, SVE-2019-15877
- Andr. Ess: SVE-2019-16010, SVE-2019-16011, SVE-2019-16012
- Fluoroacetate working with Zero Day Initiative: SVE-2019-16088
- Dong-Hoon Yoo: SVE-2019-16161
- PASCA IOAN MIRCEA: SVE-2019-16192