Go straight to the menu Go straight to the text

Android Security Updates

Disclaimer

  • Please note that in some cases regular OS upgrades may cause delays to planned security updates. However, users can be rest assured the OS upgrades will include up-to-date security patches when delivered.
  • While we are doing our best to deliver the security patches as soon as possible to all applicable models, delivery time of security patches may vary depending on the regions and models.
  • Some patches to be received from chipset vendors (also known as Device Specific patches) may not be included in the security update package of the month. They will be included in upcoming security update packages as soon as the patches are ready to deliver.

Acknowledgements

Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process. This SMR package includes patches from Google and Samsung.


Google patches include patches up to Android Security Bulletin - Feb 2019 package. The Bulletin (Feb 2019) contains the following CVE items:

Critical
CVE-2019-1986, CVE-2019-1987, CVE-2019-1988, CVE-2019-1991, CVE-2019-1992

High
CVE-2018-13405, CVE-2018-10876, CVE-2018-10877, CVE-2018-10882, CVE-2018-18281, CVE-2018-12014, CVE-2017-17760, CVE-2018-5268, CVE-2018-5269, CVE-2019-1993, CVE-2019-1994, CVE-2019-1996, CVE-2019-1997, CVE-2019-1998

Moderate
CVE-2017-18009

Low
None

NSI
None

Already included in previous updates
CVE-2018-11847, CVE-2018-17182, CVE-2018-11888, CVE-2018-11962, CVE-2018-13889

Not applicable to Samsung devices
CVE-2018-10880, CVE-2018-6241, CVE-2018-13888, CVE-2019-1995


※ Please see Android Security Bulletin for detailed information on Google patches.


Along with Google patches, Samsung Mobile provides 12 Samsung Vulnerabilities and Exposures (SVE) items described below, in order to improve our customer’s confidence on security of Samsung Mobile devices. Samsung security index (SSI), found in “Security software version”, SMR Feb-2019 Release 1 includes all patches from Samsung and Google. Some of the SVE items may not be included in this package, in case these items were already included in a previous maintenance release.


SVE-2018-13187: Heap overflow in Baseband

Severity: Critical
Affected Versions: N(7.x), O(8.x), P(9.0) devices with Exynos chipsets
Reported on: October 15, 2018
Disclosure status: Privately disclosed.
A possible heap overflow vulnerability in baseband may cause memory issues.
The patch adds length check code in the baseband.


SVE-2018-13188: Stack overflow in Baseband

Severity: Critical
Affected versions: N(7.x), O(8.x), P(9.0) devices with Exynos chipsets
Reported on: October 15, 2018
Disclosure status: Privately disclosed.
A possible stack overflow vulnerability in baseband allows arbitrary code execution.
The patch adds length check code in the baseband.


SVE-2018-13060: Possible uninitialized memory disclosure in Gallery

Severity: Low
Affected Versions: N(7.1), O(8.x), P(9.0) devices
Reported on: September 26, 2018
Disclosure status: Privately disclosed.
A vulnerability in the library that parses the images exposes memory when opening images via Gallery app.
The patch addresses the memory exposure in Gallery app.


SVE-2018-12981: Keyboard learned words are leaked on the lock screen via S-Voice

Severity: Moderate
Affected versions: N(7.x), O(8.x) devices
Reported on: September 9, 2018
Disclosure status: Privately disclosed.
A vulnerability in Keyboard allows access to learned words via S-Voice in the locked state.
The patch blocks access to Keyboard’s learned words in the lock screen.


SVE-2018-13427: Information disclosure in the ion debugfs driver

Severity: Low
Affected Versions: N(7.1), O(8.x) devices with Exynos chipsets
Reported on: November 5, 2018
Disclosure status: Privately disclosed.
A possible information leak vulnerability exists in the ion debugfs driver.
The patch prevents output of kernel driver in the kernel log.

Some SVE items included in the Samsung Android Security Update cannot be disclosed at this time.


Acknowledgements
We truly appreciate the following researchers for helping Samsung to improve the security of our products.

- Attila Fekecs: SVE-2018-13187, SVE-2018-13188
- Belchenko Artem: SVE-2018-13060
- Bogdan: SVE-2018-12981
- Jianqiang Zhao: SVE-2018-13427
Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process. This SMR package includes patches from Google and Samsung.


Google patches include patches up to Android Security Bulletin - Jan 2019 package. The Bulletin (Jan 2019) contains the following CVE items:

Critical
CVE-2018-11279, CVE-2017-8248, CVE-2018-9583

High
CVE-2017-18160, CVE-2018-9568, CVE-2018-11963,CVE-2018-11960, CVE-2018-9565, CVE-2017-18329, CVE-2017-18326, CVE-2017-18321,CVE-2017-18323,CVE-2017-18324,CVE-2017-18332,CVE-2017-18319,CVE-2017-18322,CVE-2017-18328, CVE-2018-5915,CVE-2018-9582,CVE-2018-9584,CVE-2018-9585,CVE-2018-9586,CVE-2018-9587,CVE-2018-9588,CVE-2018-9589,CVE-2018-9590,CVE-2018-9591,CVE-2018-9592,CVE-2018-9593,CVE-2018-9594

Moderate
None

Low
None

NSI
None

Already included in previous updates
CVE-2018-11267, CVE-2018-11961, CVE-2018-10840, CVE-2018-5869, CVE-2017-18320, CVE-2017-11004, CVE-2017-18141, CVE-2017-8276, CVE-2018-3595, CVE-2017-18330, CVE-2018-11999, CVE-2018-5868, CVE-2018-5867, CVE-2017-18331, CVE-2017-18327, CVE-2017-5754, CVE-2018-5913

Not applicable to Samsung devices
CVE-2018-11922, CVE-2018-9567


※ Please see Android Security Bulletin for detailed information on Google patches.


Along with Google patches, Samsung Mobile provides 4 Samsung Vulnerabilities and Exposures (SVE) items described below, in order to improve our customer’s confidence on security of Samsung Mobile devices. Samsung security index (SSI), found in “Security software version”, SMR Jan-2019 Release 1 includes all patches from Samsung and Google. Some of the SVE items may not be included in this package, in case these items were already included in a previous maintenance release.


SVE-2018-13162: TCP SYN Packet Denial Of Service Vulnerability on the WIFI interface

Severity: High
Affected Versions: N(7.0), O(8.x)
Reported on: Oct 9, 2018
Disclosure status: Privately disclosed.
A vulnerability in WIFI allows denial of service due to memory exhaustion from TCP SYN flooding attack.
The patch prevents memory exhaustion when TCP SYN flooding attack is detected.


SVE-2018-13467: Heap Overflow in Baseband (SS ASN Decoding)

Severity: Critical
Affected versions: O(8.x) devices with Exynos9810 chipset
Reported on: Nov 13, 2018
Disclosure status: Privately disclosed.
A possible heap overflow vulnerability in baseband allows arbitrary code execution.
The patch adds length check code in the baseband.


SVE-2018-13474: Captive Portal redirection vulnerability

Severity: Moderate
Affected Versions: N(7.x), O(8.x), P(9.0)
Reported on: November 13, 2018
Disclosure status: Privately disclosed.
A vulnerability in Captive Portal allows automatic redirection to unsafe applications.
The patch blocks handling of custom scheme in Captive Portal to prevent automatic redirection.

Some SVE items included in the Samsung Android Security Update cannot be disclosed at this time.


Acknowledgements
We truly appreciate the following researchers for helping Samsung to improve the security of our products.

- Pierre Barre and Chaouki Kasmi from DarkMatter: SVE-2018-13162
- Fluoroacetate working with Zero Day Initiative: SVE-2018-13467
- MWR Labs working with Zero Day Initiative: SVE-2018-13474