Go straight to the menu Go straight to the text

Android Security Updates

Disclaimer

  • Please note that in some cases regular OS upgrades may cause delays to planned security updates. However, users can be rest assured the OS upgrades will include up-to-date security patches when delivered.
  • While we are doing our best to deliver the security patches as soon as possible to all applicable models, delivery time of security patches may vary depending on the regions and models.
  • Some patches to be received from chipset vendors (also known as Device Specific patches) may not be included in the security update package of the month. They will be included in upcoming security update packages as soon as the patches are ready to deliver.

Acknowledgements

Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process. This SMR package includes patches from Google and Samsung.


Google patches include patches up to Android Security Bulletin - Apr 2019 package. The Bulletin (Apr 2019) contains the following CVE items:

Critical
CVE-2018-11817, CVE-2018-11958, CVE-2019-2027, CVE-2019-2028, CVE-2019-2029

High
CVE-2018-11970, CVE-2018-11966, CVE-2018-11971, CVE-2018-10879, CVE-2019-2025, CVE-2018-10883, CVE-2018-13899, CVE-2018-13917, CVE-2019-2023, CVE-2019-2003, CVE-2019-2026, CVE-2019-2030, CVE-2019-2031, CVE-2019-2032, CVE-2019-2033, CVE-2019-2034, CVE-2019-2035, CVE-2019-2037, CVE-2019-2038, CVE-2019-2039, CVE-2019-2040

Moderate
None

Already included in previous updates
CVE-2018-13918, CVE-2017-8252(A-79419898, A-79420414)

Not applicable to Samsung devices
CVE-2019-2024, CVE-2017-8252(A-112277630, A-112279542, A-114041175)


※ Please see Android Security Bulletin for detailed information on Google patches.


Along with Google patches, Samsung Mobile provides 15 Samsung Vulnerabilities and Exposures (SVE) items described below, in order to improve our customer’s confidence on security of Samsung Mobile devices. Samsung security index (SSI), found in “Security software version”, SMR Apr-2019 Release 1 includes all patches from Samsung and Google. Some of the SVE items may not be included in this package, in case these items were already included in a previous maintenance release.


SVE-2018-13164, SVE-2018-13156: Change of protected features without authentication via Emergency mode

Severity: Moderate
Affected Versions: N(7.x), O(8.x), P(9.0) devices
Reported on: October 9, 2018
Disclosure status: Privately disclosed.
Improper startup procedure in Emergency mode allows unauthorized users to accept Emergency mode EULA instead of the device owner and disable some protected features without any prior authentication.
The patch adds authentication procedure before it starts Emergency mode.


SVE-2019-13899: Smartwatch bug

Severity: High
Affected Versions: P(9.0) devices
Reported on: January 25, 2019
Disclosure status: Privately disclosed.
A vulnerability in Secure Folder allows to show the Secure Folder notification content in smartwatch.
The patch adds the notification ID check and reject if it comes from Secure Folder.


SVE-2019-13910: Arbitrary code execution in Trustlet

Severity: Critical
Affected Versions: N(7.X), O(8.X) devices with Exynos 7570, 7870, 7880, 7885, 8890, 8895, 9810 chipsets
Reported on: January 29, 2019
Disclosure status: Privately disclosed.
Double-fetch vulnerability in Trustlet allows arbitrary code execution in the TEE.
The patch addresses the double-fetch vulnerability in the Trustlet.


SVE-2019-13963: Stack overflow in Baseband

Severity: Critical
Affected Versions: N(7.x), O(8.x), Go(8.1), P(9.0), Go(9.0) devices with Exynos chipsets
Reported on: February 5, 2019
Disclosure status: Privately disclosed.
A stack overflow vulnerability in baseband allows arbitrary code execution.
The patch adds length check code in the baseband code.

Some SVE items included in the Samsung Android Security Update cannot be disclosed at this time.


Acknowledgements
We truly appreciate the following researchers for helping Samsung to improve the security of our products.
- Andr. Ess : SVE-2018-13164, SVE-2018-13156
- Bogdan: SVE-2019-13899
- Eloi Sanfelix : SVE-2019-13910
Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process. This SMR package includes patches from Google and Samsung.


Google patches include patches up to Android Security Bulletin - Mar 2019 package. The Bulletin (Mar 2019) contains the following CVE items:

Critical
CVE-2018-11262, CVE-2018-11289, CVE-2018-11820, CVE-2018-11938, CVE-2018-11945, CVE-2019-1989, CVE-2019-1990, CVE-2019-2009

High
CVE-2018-10879, CVE-2019-1999, CVE-2019-2000, CVE-2019-2001, CVE-2018-11280, CVE-2018-13900, CVE-2018-13905, CVE-2018-11268, CVE-2018-11845, CVE-2018-11864, CVE-2018-11921, CVE-2018-11931, CVE-2018-11932, CVE-2018-11935, CVE-2018-11948, CVE-2018-5839, CVE-2018-13904, CVE-2018-20346, CVE-2019-1985, CVE-2019-2004, CVE-2019-2006, CVE-2019-2007, CVE-2019-2008, CVE-2019-2010, CVE-2019-2011, CVE-2019-2012, CVE-2019-2013, CVE-2019-2014, CVE-2019-2015, CVE-2019-2016, CVE-2019-2017, CVE-2019-2018, CVE-2018-9561, CVE-2018-9563, CVE-2018-9564, CVE-2019-2019, CVE-2019-2020, CVE-2019-2021, CVE-2019-2022

Moderate
CVE-2019-2005

Already included in previous updates
None

Not applicable to Samsung devices
CVE-2018-6271, CVE-2018-6267, CVE-2018-6268, CVE-2016-6684, CVE-2018-11275


※ Please see Android Security Bulletin for detailed information on Google patches.


Along with Google patches, Samsung Mobile provides 11 Samsung Vulnerabilities and Exposures (SVE) items described below, in order to improve our customer’s confidence on security of Samsung Mobile devices. Samsung security index (SSI), found in “Security software version”, SMR Mar-2019 Release 1 includes all patches from Samsung and Google. Some of the SVE items may not be included in this package, in case these items were already included in a previous maintenance release.


SVE-2018-13162: TCP SYN Packet Denial of Service Vulnerability on the WIFI interface

Severity: High
Affected Versions: N(7.x), O(8.x) devices with Broadcom WIFI and SEC WIFI chipsets
Reported on: October 9, 2018
Disclosure status: Privately disclosed.
A vulnerability in WIFI allows denial of service due to memory exhaustion from TCP SYN flooding attack.
The patch prevents memory exhaustion when TCP SYN flooding attack is detected.


SVE-2018-13452: Time based SQL injection in Contacts

Severity: High
Affected versions: N(7.x), O(8.x) devices
Reported on: November 11, 2018
Disclosure status: Privately disclosed.
A possible time-based SQL injection vulnerability in Contacts application allows unauthorized access to contact information.
The patch adds placeholder to prevent SQL injection in Contacts application.


SVE-2018-13453: Unauthorized access to sensitive information in Allshare

Severity: High
Affected Versions: N(7.x), O(8.x), P(9.0) devices
Reported on: November 11, 2018
Disclosure status: Privately disclosed.
A vulnerability in Allshare fileshare service allows unauthorized access to device sensitive information.
The patch modifies the storage path of device information to sandboxed area for protection.


SVE-2018-13467: Heap Overflow in Baseband(SS ASN Decoding)

Severity: Critical
Affected versions: O(8.x) devices with Exynos chipsets
Reported on: November 13, 2018
Disclosure status: Privately disclosed.
A possible heap overflow vulnerability in baseband allows arbitrary code execution.
The patch adds length check code in the baseband.


SVE-2018-13547: FRP bypass using SVoice T&C

Severity: Low
Affected Versions: N(7.x), O(8.x) devices
Reported on: November 21, 2018
Disclosure status: Privately disclosed.
External link exposure in SVoice T&C allows Factory Reset Protection (FRP) bypass.
The patch prevents access to the specific link by removing the URL in T&C.


SVE-2018-13563: Leakage of private mode content’s thumbnail

Severity: Moderate
Affected versions: Selected N(7.x), O(8.x) devices which supports Private Mode
Reported on: November 27, 2018
Disclosure status: Privately disclosed.
A vulnerability in Gallery leaks Private Mode thumbnail contents.
The patch modifies handling of cache file to disabled access to Private Mode.


SVE-2018-13764: Preview exposure of Secure Folder

Severity: Moderate
Affected versions: P(9.0) devices
Reported on: December 28, 2018
Disclosure status: Privately disclosed.
A vulnerability in Secure Folder allows exposure of preview in recent apps.
The patch fixes Secure Folder to protect preview in recent apps.


SVE-2018-13765: Unpinning of app without authentication

Severity: Moderate
Affected versions: P(9.0) devices
Reported on: December 28, 2018
Disclosure status: Privately disclosed.
A vulnerability in Pin Window feature allows unpinning of app without authentication.
The patch fixes Pin Window to enforce authentication when unpinning app.


SVE-2019-13773: Secure startup bug

Severity: Moderate
Affected versions: P(9.0) devices
Reported on: January 3, 2019
Disclosure status: Privately disclosed.
A vulnerability in Secure Startup feature allows exposure of keyboard suggested words.
The patch blocks Samsung Keyboard from showing suggested words in the Secure Startup.


SVE-2019-13814, SVE-2019-13815: Security setting modifications without authentication

Severity: High
Affected versions: P(9.0) devices
Reported on: January 12, 2019
Disclosure status: Privately disclosed.
A vulnerability in Settings allows security settings modifications without authentication via certain unprivileged activities.
The patch fixes Settings to protect component from unprivileged activities.

Some SVE items included in the Samsung Android Security Update cannot be disclosed at this time.


Acknowledgements
We truly appreciate the following researchers for helping Samsung to improve the security of our products.

- Jelmer de Hen: SVE-2018-13452
- Pholwongsa, Voottisak: SVE-2018-13547
- Andr. Ess: SVE-2018-13453, SVE-2018-13563
- Bogdan: SVE-2018-13764, SVE-2018-13765, SVE-2019-13773, SVE-2019-13814, SVE-2019-13815
- Pierre Barre and Chaouki Kasmi from DarkMatter: SVE-2018-13162
- Fluoroacetate working with Zero Day Initiative: SVE-2018-13467
Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process. This SMR package includes patches from Google and Samsung.


Google patches include patches up to Android Security Bulletin - Feb 2019 package. The Bulletin (Feb 2019) contains the following CVE items:

Critical
CVE-2019-1986, CVE-2019-1987, CVE-2019-1988, CVE-2019-1991, CVE-2019-1992

High
CVE-2018-13405, CVE-2018-10876, CVE-2018-10877, CVE-2018-10882, CVE-2018-18281, CVE-2018-12014, CVE-2017-17760, CVE-2018-5268, CVE-2018-5269, CVE-2019-1993, CVE-2019-1994, CVE-2019-1996, CVE-2019-1997, CVE-2019-1998

Moderate
CVE-2017-18009

Already included in previous updates
CVE-2018-11847, CVE-2018-17182, CVE-2018-11888, CVE-2018-11962, CVE-2018-13889

Not applicable to Samsung devices
CVE-2018-10880, CVE-2018-6241, CVE-2018-13888, CVE-2019-1995


※ Please see Android Security Bulletin for detailed information on Google patches.


Along with Google patches, Samsung Mobile provides 12 Samsung Vulnerabilities and Exposures (SVE) items described below, in order to improve our customer’s confidence on security of Samsung Mobile devices. Samsung security index (SSI), found in “Security software version”, SMR Feb-2019 Release 1 includes all patches from Samsung and Google. Some of the SVE items may not be included in this package, in case these items were already included in a previous maintenance release.


SVE-2018-13187: Heap overflow in Baseband

Severity: Critical
Affected Versions: N(7.x), O(8.x), P(9.0) devices with Exynos chipsets
Reported on: October 15, 2018
Disclosure status: Privately disclosed.
A possible heap overflow vulnerability in baseband may cause memory issues.
The patch adds length check code in the baseband.


SVE-2018-13188: Stack overflow in Baseband

Severity: Critical
Affected versions: N(7.x), O(8.x), P(9.0) devices with Exynos chipsets
Reported on: October 15, 2018
Disclosure status: Privately disclosed.
A possible stack overflow vulnerability in baseband allows arbitrary code execution.
The patch adds length check code in the baseband.


SVE-2018-13060: Possible uninitialized memory disclosure in Gallery

Severity: Low
Affected Versions: N(7.1), O(8.x), P(9.0) devices
Reported on: September 26, 2018
Disclosure status: Privately disclosed.
A vulnerability in the library that parses the images exposes memory when opening images via Gallery app.
The patch addresses the memory exposure in Gallery app.


SVE-2018-12981: Keyboard learned words are leaked on the lock screen via S-Voice

Severity: Moderate
Affected versions: N(7.x), O(8.x) devices
Reported on: September 9, 2018
Disclosure status: Privately disclosed.
A vulnerability in Keyboard allows access to learned words via S-Voice in the locked state.
The patch blocks access to Keyboard’s learned words in the lock screen.


SVE-2018-13427: Information disclosure in the ion debugfs driver

Severity: Low
Affected Versions: N(7.1), O(8.x) devices with Exynos chipsets
Reported on: November 5, 2018
Disclosure status: Privately disclosed.
A possible information leak vulnerability exists in the ion debugfs driver.
The patch prevents output of kernel driver in the kernel log.

Some SVE items included in the Samsung Android Security Update cannot be disclosed at this time.


Acknowledgements
We truly appreciate the following researchers for helping Samsung to improve the security of our products.

- Belchenko Artem: SVE-2018-13060
- Bogdan: SVE-2018-12981
- Jianqiang Zhao: SVE-2018-13427
Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process. This SMR package includes patches from Google and Samsung.


Google patches include patches up to Android Security Bulletin - Jan 2019 package. The Bulletin (Jan 2019) contains the following CVE items:

Critical
CVE-2018-11279, CVE-2017-8248, CVE-2018-9583

High
CVE-2017-18160, CVE-2018-9568, CVE-2018-11963,CVE-2018-11960, CVE-2018-9565, CVE-2017-18329, CVE-2017-18326, CVE-2017-18321,CVE-2017-18323,CVE-2017-18324,CVE-2017-18332,CVE-2017-18319,CVE-2017-18322,CVE-2017-18328, CVE-2018-5915,CVE-2018-9582,CVE-2018-9584,CVE-2018-9585,CVE-2018-9586,CVE-2018-9587,CVE-2018-9588,CVE-2018-9589,CVE-2018-9590,CVE-2018-9591,CVE-2018-9592,CVE-2018-9593,CVE-2018-9594

Moderate
None

Already included in previous updates
CVE-2018-11267, CVE-2018-11961, CVE-2018-10840, CVE-2018-5869, CVE-2017-18320, CVE-2017-11004, CVE-2017-18141, CVE-2017-8276, CVE-2018-3595, CVE-2017-18330, CVE-2018-11999, CVE-2018-5868, CVE-2018-5867, CVE-2017-18331, CVE-2017-18327, CVE-2017-5754, CVE-2018-5913

Not applicable to Samsung devices
CVE-2018-11922, CVE-2018-9567


※ Please see Android Security Bulletin for detailed information on Google patches.


Along with Google patches, Samsung Mobile provides 4 Samsung Vulnerabilities and Exposures (SVE) items described below, in order to improve our customer’s confidence on security of Samsung Mobile devices. Samsung security index (SSI), found in “Security software version”, SMR Jan-2019 Release 1 includes all patches from Samsung and Google. Some of the SVE items may not be included in this package, in case these items were already included in a previous maintenance release.


SVE-2018-13162: TCP SYN Packet Denial Of Service Vulnerability on the WIFI interface

Severity: High
Affected Versions: N(7.0), O(8.x) devices with Exynos9810 chipset
Reported on: October 9, 2018
Disclosure status: Privately disclosed.
A vulnerability in WIFI allows denial of service due to memory exhaustion from TCP SYN flooding attack.
The patch prevents memory exhaustion when TCP SYN flooding attack is detected.


SVE-2018-13467: Heap Overflow in Baseband (SS ASN Decoding)

Severity: Critical
Affected versions: O(8.x) devices with Exynos9810 chipset
Reported on: November 13, 2018
Disclosure status: Privately disclosed.
A possible heap overflow vulnerability in baseband allows arbitrary code execution.
The patch adds length check code in the baseband.


SVE-2018-13474: Captive Portal redirection vulnerability

Severity: Moderate
Affected Versions: N(7.x), O(8.x), P(9.0)
Reported on: November 13, 2018
Disclosure status: Privately disclosed.
A vulnerability in Captive Portal allows automatic redirection to unsafe applications.
The patch blocks handling of custom scheme in Captive Portal to prevent automatic redirection.

Some SVE items included in the Samsung Android Security Update cannot be disclosed at this time.


Acknowledgements
We truly appreciate the following researchers for helping Samsung to improve the security of our products.

- Pierre Barre and Chaouki Kasmi from DarkMatter: SVE-2018-13162
- Fluoroacetate working with Zero Day Initiative: SVE-2018-13467
- MWR Labs working with Zero Day Initiative: SVE-2018-13474