Go straight to the menu Go straight to the text

Android Security Updates

Disclaimer

  • Please note that in some cases regular OS upgrades may cause delays to planned security updates. However, users can be rest assured the OS upgrades will include up-to-date security patches when delivered.
  • While we are doing our best to deliver the security patches as soon as possible to all applicable models, delivery time of security patches may vary depending on the regions and models.
  • Some patches to be received from chipset vendors (also known as Device Specific patches) may not be included in the security update package of the month. They will be included in upcoming security update packages as soon as the patches are ready to deliver.

Acknowledgements

Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process. This Security Update package includes patches from Google and Samsung.


The following CVE items from September 2017 Android Security Bulletin are included in this Security Update package:

Critical
CVE-2016-9794, CVE-2017-0756, CVE-2017-0757, CVE-2017-0758, CVE-2017-0759, CVE-2017-0760, CVE-2017-0761, CVE-2017-0762, CVE-2017-0763, CVE-2017-0764, CVE-2017-0765, CVE-2016-0842, CVE-2017-0781, CVE-2017-0782

High
CVE-2014-9940, CVE-2017-0648, CVE-2017-10661, CVE-2017-0421, CVE-2017-0752, CVE-2017-6983, CVE-2017-0755, CVE-2017-0767, CVE-2017-0768, CVE-2017-0769, CVE-2017-0770, CVE-2017-0771, CVE-2017-0772, CVE-2017-0773, CVE-2017-0774, CVE-2017-0775, CVE-2017-0776, CVE-2017-0777, CVE-2017-0778, CVE-2017-0670, CVE-2016-6712, CVE-2017-0783

Moderate
CVE-2017-0537, CVE-2017-0586, CVE-2017-8242, CVE-2017-8259, CVE-2017-8260, CVE-2017-8261, CVE-2017-8265, CVE-2017-8270, CVE-2017-0742, CVE-2017-9682, CVE-2017-0779, CVE-2017-0784, CVE-2017-0785

Low
CVE-2017-0650

Already included in previous updates
CVE-2017-8254, CVE-2014-9971, CVE-2014-9972, CVE-2014-9976, CVE-2015-0574, CVE-2015-8593, CVE-2015-8594, CVE-2015-9063, CVE-2015-9064, CVE-2015-9065, CVE-2016-10384, CVE-2016-10386

Not applicable to Samsung devices
CVE-2016-10385, CVE-2016-10390, CVE-2017-0750, CVE-2017-10662, CVE-2017-10663, CVE-2017-0741, CVE-2017-0753, CVE-2017-0766, CVE-2017-0780


※ Please see Android Security Bulletin for detailed information on Google patches.


Along with Google patches, Samsung Mobile provides 12 Samsung Vulnerabilities and Exposures (SVE) items described below, in order to improve our customer's confidence on security of Samsung Mobile devices. Some of the SVE items may not be included in this package, in case these items were already included in a previous maintenance release.


SVE-2017-9299: Arbitrary code execution with svoice privileges

Severity: High
Affected versions: M(6.0), N(7.x)
Reported on: May 22, 2017
Disclosure status: Privately disclosed.
A vulnerability in SVoice allows attackers to modify dynamic libraries included in the app, resulting in arbitrary code execution as SVoice privilege.
The patch prevents access to dynamic libraries.


SVE-2017-9357: Email can be sent by malicious application via unprotected component

Severity: Low
Affected versions: KK(4.4), L(5.0/5.1), M(6.0), N(7.x)
Reported on: May 27, 2017
Disclosure status: Privately disclosed.
An unprotected component of Samsung Email application allows attackers to send emails with user’s account without any user interactions.
The patch restricts the senders capable of broadcasting the intent by permission.


SVE-2017-9659: Security authentication reset issue without user confirmation

Severity: Moderate
Affected versions: M(6.0), N(7.0, 7.1)
Reported on: July 05, 2017
Disclosure status: Privately disclosed.
A vulnerability allows attackers to register a new security certificate without user authentication.
The patch addressed the issue.

Some SVE items included in the Samsung Android Security Update cannot be disclosed at this time.


Acknowledgements

We truely appreciate the following researchers for helping Samsung to improve the security of our products.

- MOULU Andre : SVE-2017-9299
- Yousra Aafer of Purdue University : SVE-2017-9357
- Qing Zhang of Xiaomi and Guangdong Bai of Singapore Institute of Technology (SIT) : SVE-2017-9659
Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process. This Security Update package includes patches from Google and Samsung.


The following CVE items from August 2017 Android Security Bulletin are included in this Security Update package:

Critical
CVE-2017-0714, CVE-2017-0715, CVE-2017-0716, CVE-2017-0718, CVE-2017-0719, CVE-2017-0720, CVE-2017-0721, CVE-2017-0722, CVE-2017-0723, CVE-2017-0745, CVE-2017-0407, CVE-2017-9417

High
CVE-2017-0576, CVE-2016-10286, CVE-2016-10244, CVE-2017-0713, CVE-2017-0724, CVE-2017-0725, CVE-2017-0726, CVE-2017-0727, CVE-2017-0728, CVE-2017-0729, CVE-2017-0730, CVE-2017-0731, CVE-2017-0732, CVE-2017-0733, CVE-2017-0734, CVE-2017-0735, CVE-2017-0736, CVE-2017-0687, CVE-2017-0737, CVE-2017-0805

Moderate
CVE-2017-0583, CVE-2016-5346, CVE-2017-6425, CVE-2016-10236, CVE-2017-6426, CVE-2017-7370, CVE-2017-7372, CVE-2017-7373, CVE-2017-0451, CVE-2017-7308, CVE-2017-8264, CVE-2017-8266, CVE-2017-8268, CVE-2017-8258, CVE-2017-0560, CVE-2017-0712, CVE-2017-0738, CVE-2017-0739

Low
CVE-2017-0452

Already included in previous updates
CVE-2014-9968, CVE-2014-9974, CVE-2014-9977, CVE-2015-0575, CVE-2015-8592, CVE-2015-9036, CVE-2015-9038, CVE-2015-9039, CVE-2015-9041, CVE-2015-9042, CVE-2015-9043, CVE-2015-9044, CVE-2015-9045, CVE-2015-9046, CVE-2015-9047, CVE-2015-9049, CVE-2015-9050, CVE-2015-9052, CVE-2015-9053, CVE-2015-9055, CVE-2016-10391, CVE-2016-5871, CVE-2017-0711, CVE-2017-8255

Not applicable to Samsung devices
CVE-2014-9731, CVE-2015-9048, CVE-2015-9054, CVE-2016-10383, CVE-2016-10389, CVE-2017-0326, CVE-2017-0340, CVE-2017-0707, CVE-2017-0708, CVE-2017-0709


※ Please see Android Security Bulletin for detailed information on Google patches.


Along with Google patches, Samsung Mobile provides 16 Samsung Vulnerabilities and Exposures (SVE) items described below, in order to improve our customer's confidence on security of Samsung Mobile devices. Some of the SVE items may not be included in this package, in case these items were already included in a previous maintenance release.


SVE-2017-8889, SVE-2017-8891, and SVE-2017-8892: Stack overflow in trustlet

Severity: Low
Affected versions: M(6.0), N(7.x)
Reported on: April 11, 2017
Disclosure status: Privately disclosed.
Lack of boundary checking of a buffer in trustlet can lead to memory corruption.
The applied patch adds boundary checking.


SVE-2017-8890: Over-read in trustlet

Severity: Low
Affected versions: M(6.0), N(7.x)
Reported on: April 11, 2017
Disclosure status: Privately disclosed.
Lack of boundary checking of a buffer in trustlet can lead to unauthorized access to data outside of boundary.
The applied patch adds boundary checking.


SVE-2017-8893: Arbitrary write in trustlet

Severity: Low
Affected versions: M(6.0), N(7.x)
Reported on: April 11, 2017
Disclosure status: Privately disclosed.
Assuming privilege escalation is achieved, lack of boundary checking in a trustlet can lead to arbitrary write.
The applied patch adds boundary checking.


SVE-2017-9008 and SVE-2017-9009: Integer overflow in trustlet

Severity: Low
Affected versions: N(7.x)
Reported on: April 24, 2017
Disclosure status: Privately disclosed.
Lack of boundary checking of a buffer in trustlet can lead to memory corruption.
The patch removed the part of code related to Integer overflow.


SVE-2017-9383: Abnormal screen touch via malformed input with multiwindow_facade API

Severity: Low
Affected versions: M(6.0)
Reported on: May 31, 2017
Disclosure status: Privately disclosed.
Lack of appropriate validation check for display ID can halt system due to NullPointException problem caused by mismatch to a non-existing display.
The supplied patch prevents unexpected exception by confirming the validation of display ID.

Some SVE items included in the Samsung Android Security Update cannot be disclosed at this time.


Acknowledgements

We truely appreciate the following researchers for helping Samsung to improve the security of our products.

- Daniel Komaromy : SVE-2017-8889, SVE-2017-8890, SVE-2017-8891, SVE-2017-8892, SVE-2017-8893, SVE-2017-9008, SVE-2017-9009
- Qing Zhang of Xiaomi and Guangdong Bai of Singapore Institute of Technology (SIT) : SVE-2017-9383
Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process. This Security Update package includes patches from Google and Samsung.


The following CVE items from July 2017 Android Security Bulletin are included in this Security Update package:

Critical
CVE-2017-0564, CVE-2016-9794, CVE-2015-7555, CVE-2017-0540, CVE-2017-0673, CVE-2017-0674, CVE-2017-0675, CVE-2017-0676, CVE-2017-0677, CVE-2017-0678, CVE-2017-0679, CVE-2017-0680, CVE-2017-0681, CVE-2017-0469

High
CVE-2017-6423, CVE-2015-9004, CVE-2014-9940, CVE-2017-0648, CVE-2017-6074, CVE-2017-8253, CVE-2017-8273, CVE-2014-9979, CVE-2015-8595, CVE-2017-0664, CVE-2017-0665, CVE-2017-0666, CVE-2017-0667, CVE-2017-0669, CVE-2017-0670, CVE-2017-0671, CVE-2016-2109, CVE-2017-0672, CVE-2017-0684, CVE-2017-0685, CVE-2017-0686, CVE-2017-0688, CVE-2017-0689, CVE-2017-0690, CVE-2017-0691, CVE-2017-0692, CVE-2017-0693, CVE-2017-0694, CVE-2017-0695, CVE-2017-0696, CVE-2017-0697, CVE-2017-0700, CVE-2017-0701, CVE-2017-0702, CVE-2017-0703, CVE-2017-0642

Moderate
CVE-2017-7368, CVE-2017-7364, CVE-2017-8237, CVE-2015-5707, CVE-2016-5863, CVE-2017-8246, CVE-2017-8256, CVE-2017-8257, CVE-2016-3924, CVE-2017-0493, CVE-2015-7995, CVE-2017-3544, CVE-2017-0698, CVE-2017-0699

Low
CVE-2017-8241

Already included in previous updates
CVE-2014-9954, CVE-2014-9956, CVE-2014-9957, CVE-2014-9959, CVE-2014-9960, CVE-2014-9964, CVE-2014-9967, CVE-2015-9009, CVE-2015-9010, CVE-2015-9011, CVE-2015-9012, CVE-2015-9014, CVE-2015-9024, CVE-2015-9026, CVE-2015-9027, CVE-2017-0636, CVE-2017-7371, CVE-2017-8240

Not applicable to Samsung devices
CVE-2014-9961, CVE-2015-9015, CVE-2015-9031, CVE-2015-9032, CVE-2016-10299, CVE-2016-10335, CVE-2016-10336, CVE-2016-10342, CVE-2017-0649, CVE-2017-0651, CVE-2017-0682, CVE-2017-0683, CVE-2017-0704, CVE-2017-6247, CVE-2017-6248, CVE-2017-6249, CVE-2017-6421, CVE-2017-7365, CVE-2017-8234


※ Please see Android Security Bulletin for detailed information on Google patches.


Along with Google patches, Samsung Mobile provides 16 Samsung Vulnerabilities and Exposures (SVE) items described below, in order to improve our customer's confidence on security of Samsung Mobile devices. Some of the SVE items may not be included in this package, in case these items were already included in a previous maintenance release.


SVE-2017-8290: Crash via sending broadcast (AdaptiveDisplayColorService)

Severity: Low
Affected versions: KK(4.4), L(5.0/5.1), M(6.0), N(7.x)
Reported on: February 14, 2017
Disclosure status: Privately disclosed.
Lack of appropriate exception handling for Intents including Serializable instance allows attackers crash several system processes resulting in a possible DoS attack.
The patch prevents system crashes by handling unexpected exceptions.


SVE-2017-8888: Buffer overflow in tlc_server

Severity: Moderate
Affected versions: M(6.0), N(7.x)
Reported on: April 11, 2017
Disclosure status: Privately disclosed.
There is a potential buffer overflow vulnerability due to not confirming if the size of source data is smaller than the destination buffer.
The patch removes the problematic code.


SVE-2017-8973: Buffer overflow in process_cipher_tdea

Severity: Low
Affected versions: M(6.0), N(7.x)
Reported on: April 11, 2017
Disclosure status: Privately disclosed.
There is a potential buffer overflow vulnerability due to not verifying input and output parameters’ sizes.
The fix avoids a buffer overflow by checking if the size of output data is the same as input data.


SVE-2017-9109: Unintended memory is disclosed in rkp log

Severity: Moderate
Affected versions: M(6.0), N(7.x)
Reported on: May 4, 2017
Disclosure status: Privately disclosed.
The vulnerability allows reading data outside of rkp log buffer boundary due to not checking the boundary.
The applied patch avoids an illegal access to memory by checking the boundary.


SVE-2017-9122, SVE-2017-9123, SVE-2017-9124, and SVE-2017-9126: Crash system server via sending broadcast

Severity: Low
Affected versions: N(7.x)
Reported on: May 10, 2017
Disclosure status: Privately disclosed.
Lack of appropriate exception handling for some Intents which cause NullPointerException allows attackers crash a system process resulting in a possible DoS attack.
The patch protects the receiver by changing to protected intent.

Some SVE items included in the Samsung Android Security Update cannot be disclosed at this time.


Acknowledgements

We truely appreciate the following researchers for helping Samsung to improve the security of our products.

- Ryan Johnson and Angelos Stavrou of Kryptowire : SVE-2017-8290, SVE-2017-9122, SVE-2017-9123, SVE-2017-9124, SVE-2017-9126
- Daniel Komaromy : SVE-2017-8888, SVE-2017-8973
- David Berard : SVE-2017-9109
Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process. This Security Update package includes patches from Google and Samsung.


The following CVE items from June 2017 Android Security Bulletin are included in this Security Update package:

Critical
CVE-2016-8434, CVE-2017-0500, CVE-2017-0501, CVE-2017-0502, CVE-2017-0506, CVE-2017-0507, CVE-2016-8479, CVE-2016-10200, CVE-2016-10230, CVE-2016-10229, CVE-2016-10276, CVE-2017-0604, CVE-2016-10278, CVE-2016-10279, CVE-2015-7555, CVE-2017-0637

High
CVE-2015-0571, CVE-2016-8480, CVE-2017-0464, CVE-2017-0456, CVE-2017-0528, CVE-2016-8483, CVE-2014-4656, CVE-2017-0575, CVE-2016-10231, CVE-2017-0579, CVE-2016-10232, CVE-2016-10233, CVE-2016-10235, CVE-2016-10283, CVE-2016-10284, CVE-2016-10285, CVE-2015-9004, CVE-2016-10287, CVE-2017-0606, CVE-2016-5860, CVE-2017-0607, CVE-2017-0608, CVE-2016-5859, CVE-2017-0610, CVE-2017-0611, CVE-2017-0465, CVE-2017-0612, CVE-2017-0613, CVE-2017-0614, CVE-2014-9940, CVE-2017-7184, CVE-2017-0624, CVE-2017-7366, CVE-2017-7367, CVE-2017-0408, CVE-2017-0421, CVE-2017-0477, CVE-2017-0477, CVE-2016-5131, CVE-2015-8871, CVE-2016-8332, CVE-2016-5131, CVE-2016-4658, CVE-2017-0663, CVE-2017-7376, CVE-2017-0638, CVE-2017-0639, CVE-2017-0391, CVE-2017-0640, CVE-2017-0641, CVE-2017-0642, CVE-2017-0643, CVE-2017-0644

Moderate
CVE-2016-10044, CVE-2017-0459, CVE-2017-0537, CVE-2017-6424, CVE-2017-0584, CVE-2017-0627, CVE-2016-10293, CVE-2017-0630, CVE-2016-5858, CVE-2017-0632, CVE-2017-7369, CVE-2016-5864, CVE-2016-5861, CVE-2017-8233, CVE-2017-8235, CVE-2017-0579, CVE-2017-8239, CVE-2017-0395, CVE-2017-0492, CVE-2017-0559, CVE-2017-5056, CVE-2017-7375, CVE-2017-0645, CVE-2017-0646, CVE-2017-0647, CVE-2016-1839

Low
CVE-2017-0452

Already included in previous updates
CVE-2014-9923, CVE-2014-9926, CVE-2014-9927, CVE-2014-9928, CVE-2014-9941, CVE-2014-9942, CVE-2014-9943, CVE-2014-9944, CVE-2014-9946, CVE-2014-9947, CVE-2014-9948, CVE-2014-9949, CVE-2014-9950, CVE-2015-9005, CVE-2015-9007, CVE-2016-10274, CVE-2016-10280, CVE-2016-10281, CVE-2016-10282, CVE-2017-0615, CVE-2017-0616, CVE-2017-0617, CVE-2017-0618, CVE-2017-0621, CVE-2017-0625

Not applicable to Samsung devices
CVE-2014-9945, CVE-2014-9951, CVE-2014-9952, CVE-2015-9006, CVE-2016-10240, CVE-2016-10277, CVE-2016-10288, CVE-2016-10295, CVE-2016-10297, CVE-2017-0331, CVE-2017-0622, CVE-2017-0623, CVE-2017-0634


※ Please see Android Security Bulletin for detailed information on Google patches.


Along with Google patches, Samsung Mobile provides 23 Samsung Vulnerabilities and Exposures (SVE) items described below, in order to improve our customer's confidence on security of Samsung Mobile devices. Some of the SVE items may not be included in this package, in case these items were already included in a previous maintenance release.


SVE-2017-8286: Null Pointer exception in PersonManager

Severity: Low
Affected versions: KK(4.4), L(5.0/5.1), M(6.0)
Reported on: February 13, 2017
Disclosure status: Privately disclosed.
A vulnerability dereferencing Null-pointer in PersonManager can lead to memory corruption and potentially be abused by attackers.
The patch verifies if the object is null before dereferencing it.


SVE-2017-8287: Null Pointer Exception in WifiService by adb-cmd

Severity: Low
Affected versions: M(6.0)
Reported on: February 13, 2017
Disclosure status: Privately disclosed.
A vulnerability dereferencing Null-pointer in WifiService can lead to memory corruption and potentially be abused by attackers.
The patch verifies if the object is null before dereferencing it.


SVE-2017-8701: Security issue patch for vulnerability that allows arbitrary applications to send sms without permission

Severity: Moderate
Affected versions: KK(4.4), L(5.0/5.1), M(6.0), N(7.x)
Reported on: March 23, 2017
Disclosure status: Privately disclosed.
A vulnerability allows unauthorized application to send premium SMS messages without user interaction or permission.
The patch protects the receiver by changing to protected intent.


SVE-2017-8702: Security issue patch for vulnerability to force notification that sms storage is full

Severity: Low
Affected versions: KK(4.4), L(5.0/5.1), M(6.0), N(7.x)
Reported on: March 23, 2017
Disclosure status: Privately disclosed.
A vulnerability prevents users from receiving SMS messages by faking that message inbox is full.
The patch protects the receiver by escalating privilege to send the intent.


SVE-2017-8706: Setting and bypassing user restrictions without any permissions

Severity: Moderate
Affected versions: M(6.0)
Reported on: March 24, 2017
Disclosure status: Privately disclosed.
A vulnerability allows attackers to restrict users’ usability of some features including outgoing call, and outgoing text message.
The patch mitigates the risk by checking the permission of the caller.


SVE-2017-9000: Launch Any Activity with System Privilege via persona

Severity: Moderate
Affected versions: N(7.x)
Reported on: April 21, 2017
Disclosure status: Privately disclosed.
A vulnerability allows attackers to launch activities with system privilege via ‘persona’, because an important API is not protected by permissions checks.
The patch mitigates the risk by checking the permissions at the API.

Some SVE items included in the Samsung Android Security Update cannot be disclosed at this time.


Acknowledgements

We truely appreciate the following researchers for helping Samsung to improve the security of our products.

- Ye Zhou, Leiyong Xu and Bo Li of Vulpecker Team, Qihoo 360 Technology Co. Ltd. : SVE-2017-8286, SVE-2017-8287
- Yousra Aafer of Purdue University : SVE-2017-8701, SVE-2017-8702, SVE-2017-8706, SVE-2017-9000
Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process. This Security Update package includes patches from Google and Samsung.


The following CVE items from May 2017 Android Security Bulletin are included in this Security Update package:

Critical
CVE-2017-0503, CVE-2017-0505, CVE-2017-0510, CVE-2016-10229, CVE-2017-0564, CVE-2016-10275, CVE-2017-0605, CVE-2017-0587, CVE-2017-0588, CVE-2017-0589, CVE-2017-0590, CVE-2017-0591, CVE-2017-0592, CVE-2017-0561

High
CVE-2017-0453, CVE-2017-0528, CVE-2016-5856, CVE-2016-5857, CVE-2017-0566, CVE-2017-0454, CVE-2017-0462, CVE-2016-10234, CVE-2016-5867, CVE-2016-5853, CVE-2017-0620, CVE-2016-5862, CVE-2016-5868, CVE-2017-0626, CVE-2016-10292, CVE-2017-0421, CVE-2016-5129, CVE-2017-0593, CVE-2017-0594, CVE-2017-0595, CVE-2017-0596, CVE-2017-0597, CVE-2017-0598, CVE-2017-0599, CVE-2017-0600

Moderate
CVE-2017-0461, CVE-2017-0531, CVE-2017-0537, CVE-2016-5346, CVE-2017-0628, CVE-2017-0629, CVE-2017-0631, CVE-2016-5347, CVE-2016-5854, CVE-2016-5855, CVE-2016-3924, CVE-2017-0602, CVE-2016-7056, CVE-2017-0603

Low
CVE-2017-0635

Already included in previous updates
CVE-2014-1739, CVE-2017-0565

Not applicable to Samsung devices
CVE-2014-0206, CVE-2014-2706, CVE-2014-3145, CVE-2014-9922, CVE-2016-10237, CVE-2016-10239, CVE-2016-7097, CVE-2017-0325, CVE-2017-0327, CVE-2017-0328, CVE-2017-0329, CVE-2017-0330, CVE-2017-0332, CVE-2017-0339, CVE-2017-0562, CVE-2017-0563, CVE-2017-0577, CVE-2017-0578, CVE-2017-0580, CVE-2017-0581, CVE-2017-0582, CVE-2017-0601


※ Please see Android Security Bulletin for detailed information on Google patches.


Along with Google patches, Samsung Mobile provides 11 Samsung Vulnerabilities and Exposures (SVE) items described below, in order to improve our customer's confidence on security of Samsung Mobile devices. Some of the SVE items may not be included in this package, in case these items were already included in a previous maintenance release.


SVE-2017-8363: Serializable intent reboot about "android.intent.action.SIOP_LEVEL_CHANGED"

Severity: Moderate
Affected versions: KK(4.4), L(5.0/5.1), M(6.0)
Reported on: February 21, 2017
Disclosure status: Privately disclosed.
Lack of appropriate exception handling for Intents including Serializable instance allows attackers crash a system process resulting in a possible DoS attack.
The patch protects the receiver by changing to protected intent.


SVE-2017-8389: Security issue patch for vulnerabilities of wifi related intents

Severity: Low
Affected versions: L(5.0/5.1), M(6.0), N(7.x)
Reported on: February 23, 2017
Disclosure status: Privately disclosed.
Lack of appropriate exception handling for Intents including Serializable instance allows attackers crash several system processes resulting in a possible DoS attack.
The patch restricts the senders capable of broadcasting the intent by permission.


SVE-2017-8390: Some local DoS vulnerabilities force the phone to restart in framework.jar

Severity: Moderate
Affected versions: L(5.0/5.1), M(6.0), N(7.x)
Reported on: February 24, 2017
Disclosure status: Privately disclosed.
Lack of appropriate exception handling for Intents including Serializable instance allows attackers crash a system process resulting in a possible DoS attack.
The patch prevents system crashes by handling unexpected exceptions.


SVE-2017-8524: Possible to disable location service on device locked

Severity: Low
Affected versions: N(7.x)
Reported on: March 8, 2017
Disclosure status: Privately disclosed.
A vulnerability which allows disabling location service on a locked device can make it impossible to find lost devices.
The patch prevents disabling location service without unlocking devices.


SVE-2017-8593: A Denial of Service for tima service

Severity: Low
Affected versions: N(7.0)
Reported on: March 14, 2017
Disclosure status: Privately disclosed.
Timaservice has a mismatched function between its declaration and definition, and it can lead to kernel panic.
The patch removes the problematic function.

Some SVE items included in the Samsung Android Security Update cannot be disclosed at this time.


Acknowledgements

We truely appreciate the following researchers for helping Samsung to improve the security of our products.

- Vulpecker Team of qihoo360 : SVE-2017-8363
- Ryan Johnson and Angelos Stavrou of Kryptowire : SVE-2017-8389
- Zane : SVE-2017-8524
- Ye Zhou, Leiyong Xu and Bo Li of Qihoo 360 : SVE-2017-8593
Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process. This Security Update package includes patches from Google and Samsung.


The following CVE items from April 2017 Android Security Bulletin are included in this Security Update package:

Critical
CVE-2016-8436, CVE-2017-0427, CVE-2014-9914, CVE-2017-0510, CVE-2017-0538, CVE-2017-0539, CVE-2017-0540, CVE-2017-0541, CVE-2017-0542, CVE-2017-0543

High
CVE-2016-5341, CVE-2017-0516, CVE-2017-0517, CVE-2017-0457, CVE-2017-0520, CVE-2017-0458, CVE-2017-0521, CVE-2017-0525, CVE-2017-0463, CVE-2017-0460, CVE-2017-0455, CVE-2016-8650, CVE-2017-0421, CVE-2017-0413, CVE-2017-0414, CVE-2017-0420, CVE-2017-0544 , CVE-2017-0545, CVE-2017-0546, CVE-2016-5552, CVE-2017-0547, CVE-2017-0548, CVE-2017-0549, CVE-2017-0550, CVE-2017-0551, CVE-2017-0552

Moderate
CVE-2016-8417, CVE-2017-0532, CVE-2017-0533, CVE-2017-0534, CVE-2016-8478, CVE-2017-0423, CVE-2017-0553, CVE-2017-0554, CVE-2017-0555, CVE-2017-0556, CVE-2017-0557, CVE-2017-0559, CVE-2017-0560

Low
None

Already included in previous updates
CVE-2014-8709, CVE-2016-8413

Not applicable to Samsung devices
CVE-2016-8488, CVE-2017-0306, CVE-2017-0307, CVE-2017-0333, CVE-2017-0334, CVE-2017-0335, CVE-2017-0336, CVE-2017-0337, CVE-2017-0338, CVE-2017-0504, CVE-2017-0508, CVE-2017-0518, CVE-2017-0519, CVE-2017-0522, CVE-2017-0523, CVE-2017-0524, CVE-2017-0526, CVE-2017-0527, CVE-2017-0529, CVE-2017-0535, CVE-2017-0536, CVE-2017-0558


※ Please see Android Security Bulletin for detailed information on Google patches.


Along with Google patches, Samsung Mobile provides 16 Samsung Vulnerabilities and Exposures (SVE) items described below, in order to improve our customer's confidence on security of Samsung Mobile devices. Some of the SVE items may not be included in this package, in case these items were already included in a previous maintenance release.


SVE-2016-6989: Memory Leak in Camera via ion

Severity: Moderate
Affected versions: M(6.0), N(7.x) devices with Exynos7420 or Exynox8890 chipset
Reported on: August 25, 2016
Disclosure status: Privately disclosed.
A carved out heap memory in camera was not properly initialized to zero until the next memory allocation resulting in possible memory leak.
The fix prevents leakage of memory by adding implementation of memory initialization of carved out heap memory, when memory is freed.


SVE-2016-7901: RKP kernel protection bypass via lack of MSR trapping on Qualcomm devices

Severity: Moderate
Affected versions: N(7.0) with Qualcomm chipset
Reported on: December 15, 2016
Disclosure status: Privately disclosed.
The vulnerability allows attackers to create disallowed memory mappings via RKP kernel protection bypass.
Qualcomm patch is applied.


SVE-2016-7142: Various setting properties can be reset by unprotected intent

Severity: Low
Affected versions: M(6.0), N(7.x)
Reported on: September 21, 2016
Disclosure status: Privately disclosed.
The vulnerability allows unauthorized processes to reset the configuration of various applications by broadcasting an unprotected intent.
The patch restricts the senders capable of broadcasting the intent by permission.


SVE-2017-8109, SVE-2017-8110, SVE-2017-8115, SVE-2017-8118, and SVE-2017-8119: Crash on several services via Serializable object

Severity: Low
Affected versions: KK(4.4), L(5.0/5.1), M(6.0), N(7.x)
Reported on: January 12, 2017
Disclosure status: Privately disclosed.
Lack of appropriate exception handling for Intents including Serializable instance allows attackers crash several system processes resulting in a possible DoS attack.
The patch prevents system crashes by handling unexpected exceptions.


SVE-2017-8285: Crash in SLocation by calling not-implemented API

Severity: Low
Affected versions: M(6.0)
Reported on: February 13, 2017
Disclosure status: Privately disclosed.
Mismatching between declaration in AIDL and its implementation for a specific function allows attackers to make a system crash resulting in a possible DoS attack.
The patch prevents crash by removing unused functions.


SVE-2017-8290: User data can be leaked by read log file

Severity: Moderate
Affected versions: L(5.0/5.1), M(6.0), N(7.x)
Reported on: February 14, 2017
Disclosure status: Privately disclosed.
When devices are rebooted by unexpected crashes, numerous information can be leaked by world-wide readable log files created during reboot time.
The fix restricts access to the log files by reducing read permissions.

Some SVE items included in the Samsung Android Security Update cannot be disclosed at this time.


Acknowledgements

We truely appreciate the following researchers for helping Samsung to improve the security of our products.

- Zhiyun Qian and Dongdong She : SVE-2016-6989
- Qing Zhang of Xiaomi and Guangdong Bai of Singapore Institute of Technology (SIT) : SVE-2016-7142, SVE-2017-8109, SVE-2017-8110, SVE-2017-8115, SVE-2017-8118, SVE-2017-8119
- Gal Beniamini of Google Project Zero : SVE-2016-7901
- Ye Zhou, Leiyong Xu and Bo Li of Qihoo 360 : SVE-2017-8285
- Ryan Johnson and Angelos Stavrou of Kryptowire : SVE-2017-8290
Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process. This Security Update package includes patches from Google and Samsung.


The following CVE items from March 2017 Android Security Bulletin are included in this Security Update package:

Critical
CVE-2015-3288, CVE-2015-8816, CVE-2016-2182, CVE-2016-3843, CVE-2016-6728, CVE-2016-7910, CVE-2016-8418, CVE-2016-8422, CVE-2016-8423, CVE-2016-9806, CVE-2017-0466, CVE-2017-0467, CVE-2017-0468, CVE-2017-0469, CVE-2017-0470, CVE-2017-0471, CVE-2017-0472, CVE-2017-0473, CVE-2017-0474, CVE-2017-0475

High
CVE-2014-9675, CVE-2014-9781, CVE-2016-6674, CVE-2016-6675, CVE-2016-8415, CVE-2016-8419, CVE-2016-8420, CVE-2016-8421, CVE-2016-8452, CVE-2016-8476, CVE-2016-8655, CVE-2016-9793, CVE-2017-0390, CVE-2017-0392, CVE-2017-0404, CVE-2017-0437, CVE-2017-0438, CVE-2017-0439, CVE-2017-0440, CVE-2017-0441, CVE-2017-0442, CVE-2017-0443, CVE-2017-0478, CVE-2017-0479, CVE-2017-0480, CVE-2017-0481, CVE-2017-0482, CVE-2017-0483, CVE-2017-0484, CVE-2017-0485, CVE-2017-0486, CVE-2017-0487, CVE-2017-0488

Moderate
CVE-2016-6757, CVE-2016-8406, CVE-2016-8414, CVE-2016-8416, CVE-2016-8477, CVE-2017-0395, CVE-2017-0399, CVE-2017-0400, CVE-2017-0402, CVE-2017-0423, CVE-2017-0451, CVE-2017-0489, CVE-2017-0490, CVE-2017-0491, CVE-2017-0495, CVE-2017-0496, CVE-2017-0497, CVE-2017-0498

Low
CVE-2016-6690, CVE-2017-0499

Already included in previous updates
None

Not applicable to Samsung devices
CVE-2016-8481, CVE-2017-0428, CVE-2017-0429, CVE-2017-0432, CVE-2017-0433, CVE-2017-0434, CVE-2017-0435, CVE-2017-0436, CVE-2017-0444, CVE-2017-0445, CVE-2017-0446, CVE-2017-0447, CVE-2017-0448, CVE-2017-0450, CVE-2017-0476, CVE-2017-0494


※ Please see Android Security Bulletin for detailed information on Google patches.


Along with Google patches, Samsung Mobile provides 12 Samsung Vulnerabilities and Exposures (SVE) items described below, in order to improve our customer's confidence on security of Samsung Mobile devices. Some of the SVE items may not be included in this package, in case these items were already included in a previous maintenance release.


SVE-2016-7797: Restricted account security flaw

Severity: Moderate
Affected versions: L(5.0/5.1), M(6.0) all tablet devices
Reported on: December 4, 2016
Disclosure status: Privately disclosed.
A vulnerability allows an unauthorized user to create additional user accounts in tablets resulting in unauthorized access to user data in external storage.
The patch protects tablet devices by removing "add user" feature on lockscreen interface.


SVE-2016-7930: Multiple Buffer Overflow in Qualcomm Bootloader

Severity: Critical
Affected versions: Galaxy S5 with Qualcomm AP chipset
Reported on: December 20, 2016
Disclosure status: Privately disclosed.
A buffer overflow vulnerability exist in Qualcomm bootloader.
The patch prevents buffer overflow by removing the problematic source code.


SVE-2017-8114, SVE-2017-8116, and SVE-2017-8117: Crash on AudioService via unprotected intent

Severity: Low
Affected versions: KK(4.4), L(5.0/5.1), M(6.0), N(7.0)
Reported on: January 12, 2017
Disclosure status: Privately disclosed.
Lack of appropriate exception handling in some receivers of the AudioService application allows attackers crash the system easily resulting in a possible DoS attack.
The patch prevents system crashes by handling unexpected exceptions.

Some SVE items included in the Samsung Android Security Update cannot be disclosed at this time.


Acknowledgements

We truely appreciate the following researchers for helping Samsung to improve the security of our products.

- Costandinos "Dino" Tsagaratos : SVE-2016-7797
- Frederic Basse : SVE-2016-7930
- Qing Zhang of Xiaomi and Guangdong Bai of Singapore Institute of Technology (SIT) : SVE-2017-8114, SVE-2017-8116, SVE-2017-8117
Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process. This Security Update package includes patches from Google and Samsung.


The following CVE items from February 2017 Android Security Bulletin are included in this Security Update package:

Critical
CVE-2015-3288, CVE-2015-5706, CVE-2016-2108, CVE-2016-2474, CVE-2016-6729, CVE-2016-9120, CVE-2017-0405, CVE-2017-0406, CVE-2017-0407

High
CVE-2015-1465, CVE-2015-8964, CVE-2016-1583, CVE-2016-3915, CVE-2016-3916, CVE-2016-5345, CVE-2016-5552, CVE-2016-6754, CVE-2016-6786, CVE-2016-6787, CVE-2016-7042, CVE-2016-7915, CVE-2016-8412, CVE-2016-8444, CVE-2016-9754, CVE-2017-0388, CVE-2017-0403, CVE-2017-0409, CVE-2017-0410, CVE-2017-0411, CVE-2017-0412, CVE-2017-0415, CVE-2017-0416, CVE-2017-0417, CVE-2017-0418, CVE-2017-0419, CVE-2017-0422

Moderate
CVE-2016-3853, CVE-2016-8399, CVE-2016-8405, CVE-2016-8410, CVE-2016-8468, CVE-2016-8470, CVE-2016-8471, CVE-2016-8472, CVE-2017-0399, CVE-2017-0400, CVE-2017-0401, CVE-2017-0402, CVE-2017-0425, CVE-2017-0426

Low
CVE-2016-6690

Already included in previous updates
CVE-2016-8433, CVE-2016-8445, CVE-2016-8446, CVE-2016-8447, CVE-2016-8448

Not applicable to Samsung devices
CVE-2014-9420, CVE-2016-8424, CVE-2016-8425, CVE-2016-8426, CVE-2016-8427, CVE-2016-8428, CVE-2016-8429, CVE-2016-8430, CVE-2016-8431, CVE-2016-8432, CVE-2016-8435, CVE-2016-8449, CVE-2016-8451, CVE-2016-8458, CVE-2016-8460, CVE-2016-8461, CVE-2016-8462, CVE-2016-8463, CVE-2016-8467, CVE-2016-8469, CVE-2016-8473, CVE-2016-8474, CVE-2016-8475, CVE-2017-0424


※ Please see Android Security Bulletin for detailed information on Google patches.


Along with Google patches, Samsung Mobile provides 7 Samsung Vulnerabilities and Exposures (SVE) items described below, in order to improve our customer's confidence on security of Samsung Mobile devices. Some of the SVE items may not be included in this package, in case these items were already included in a previous maintenance release.


SVE-2016-6942: Security issue on package name check logic on SVoice

Severity: Moderate
Affected versions: L(5.0/5.1), M(6.0)
Reported on: August 4, 2016
Disclosure status: Privately disclosed.
There are two SVoice vulnerabilities. One is a Hare hunting vulnerability with insufficient verification when installing applications, and the other allows the provider to be seized by any other applications that uses custom provider without declaring any permission.
The patch fixes SVoice to find the exact applications with proper verification and adds protection to the provider by declaring required permission.


SVE-2016-7123: Crash on InputMethod via unprotected receiver using specific intent

Severity: Low
Affected versions: KK(4.4), L(5.0/5.1), M(6.0)
Reported on: September 21, 2016
Disclosure status: Privately disclosed.
The vulnerability in several Recevier components of InputMethod application can result in crash and restart system UI when the malformed serializable objects are passed.
The patch complements the exception handling routine to prevent crash.


SVE-2016-7180: Contact list leakage in logfile via broadcasting unprotected intent

Severity: Low
Affected versions: M(6.0), N(7.0)
Reported on: September 16, 2016
Disclosure status: Privately disclosed.
The vulnerability exposes contact information and list of installed applications in the system-accessible log.
The patch removes the problematic code.

Some SVE items included in the Samsung Android Security Update cannot be disclosed at this time.


Acknowledgements

We truely appreciate the following researchers for helping Samsung to improve the security of our products.

- Quhe of Ant-financial Light-Year Security Lab : SVE-2016-7123
- Qing Zhang of Xiaomi and Guangdong Bai of Singapore Institute of Technology (SIT) : SVE-2016-7180
Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process. This Security Update package includes patches from Google and Samsung.


The following CVE items from January 2017 Android Security Bulletin are included in this Security Update package:

Critical
CVE-2015-8961, CVE-2015-8966, CVE-2016-3843, CVE-2016-5195, CVE-2016-9120, CVE-2017-0381

High
CVE-2015-7872, CVE-2015-8967, CVE-2016-3869, CVE-2016-3904, CVE-2016-3911, CVE-2016-5180, CVE-2016-6738, CVE-2016-6743, CVE-2016-6755, CVE-2016-6758, CVE-2016-6759, CVE-2016-6760, CVE-2016-6761, CVE-2016-6782, CVE-2016-6783, CVE-2016-6784, CVE-2016-6788, CVE-2016-6791, CVE-2016-8391, CVE-2016-8392, CVE-2016-8398, CVE-2016-8398, CVE-2016-8450, CVE-2017-0382, CVE-2017-0383, CVE-2017-0384, CVE-2017-0385, CVE-2017-0386, CVE-2017-0387, CVE-2017-0388, CVE-2017-0389, CVE-2017-0390, CVE-2017-0391, CVE-2017-0392, CVE-2017-0393, CVE-2017-0394

Moderate
CVE-2016-6720, CVE-2016-6748, CVE-2016-6749, CVE-2016-6756, CVE-2016-7917, CVE-2016-8401, CVE-2016-8402, CVE-2016-8403, CVE-2016-8404, CVE-2016-8405, CVE-2016-8407, CVE-2017-0396, CVE-2017-0397, CVE-2017-0398, CVE-2017-0399, CVE-2017-0400, CVE-2017-0401, CVE-2017-0402

Low
None

Already included in previous updates
CVE-2014-4014

Not applicable to Samsung devices
CVE-2014-9909, CVE-2016-6492, CVE-2016-6775, CVE-2016-6776, CVE-2016-6777, CVE-2016-6778, CVE-2016-6779, CVE-2016-6780, CVE-2016-6781, CVE-2016-6785, CVE-2016-6789, CVE-2016-6790, CVE-2016-6915, CVE-2016-6916, CVE-2016-6917, CVE-2016-8393, CVE-2016-8394, CVE-2016-8395, CVE-2016-8396, CVE-2016-8397, CVE-2016-8400, CVE-2016-8408, CVE-2016-8409


※ Please see Android Security Bulletin for detailed information on Google patches.


Along with Google patches, Samsung Mobile provides 28 Samsung Vulnerabilities and Exposures (SVE) items described below, in order to improve our customer's confidence on security of Samsung Mobile devices. Some of the SVE items may not be included in this package, in case these items were already included in a previous maintenance release.


SVE-2016-6362: out of bound read in gpu driver

Severity: Low
Affected versions: M(6.0), N(7.0) devices with Exynos AP chipsets
Reported on: May 31, 2016
Disclosure status: Privately disclosed.
Vulnerability in gpu driver does not properly check the boundary of buffers leading to a possible memory corruption.
The applied patch avoids an illegal access to memory by checking the boundary.


SVE-2016-6917: Forcing factory resets with a large manifest file on Samsung Android Devices

Severity: Moderate
Affected versions: KK(4.4), L(5.0/5.1), M(6.0)
Reported on: August 13, 2016
Disclosure status: Privately disclosed.
A system crash at boot time can be triggered by a malformed manifest file during parsing of active install session APKs, resulting in a possible DoS attack.
The applied patch avoids parsing active install session APKs.


SVE-2016-7122: Unexpected SystemUI FC driven by arbitrary application

Severity: Low
Affected versions: L(5.0/5.1), M(6.0), N(7.0)
Reported on: September 13, 2016
Disclosure status: Privately disclosed.
Lack of appropriate exception handling in some applications allows attackers to make a systemUI crash easily resulting in a possible DoS attack.
The patch prevents systemUI crashes by handling unexpected exceptions.


SVE-2016-7183: Security issue patch that exposes path of files through log

Severity: Low
Affected versions: KK(4.4), L(5.0/5.1), M(6.0), N(7.0)
Reported on: September 21, 2016
Disclosure status: Privately disclosed.
The vulnerability exposes the lists of files stored in sdcard to the system protected log when receiving certain intent.
The patch restricts the senders capable of broadcasting the intent by permission.


SVE-2016-7340: Information disclosure via /dev/dsm_ctrl_dev

Severity: Moderate
Affected versions: L(5.1), M(6.0), N(7.0)
Reported on: October 8, 2016
Disclosure status: Privately disclosed.
This vulnerability allows reading data outside of buffer boundary due to not checking the boundary.
The applied patch avoids an illegal access to memory by checking the boundary.


SVE-2016-7466: ko(Kernel Module) signature can be bypassed

Severity: Low
Affected versions: M(6.0), N(7.0) devices with Exynos5433, Exynos7420, or Exynos7870 chipset
Reported on: October 4, 2016
Disclosure status: Privately disclosed.
Assuming the device is rooted, a vulnerability allows an attacker to bypass kernel module confirmation by manipulating the count value of kernel modules required to check the integrity.
The patch prevents the modification of the count value at the build time.


SVE-2016-7484: Buffer overflow vulnerability in sensor hub

Severity: Low
Affected versions: KK(4.4), L(5.0/5.1), M(6.0), N(7.0) devices with Exynos54xx, Exynos7420, Exynos8890, or Exynos8895 chipset
Reported on: October 18, 2016
Disclosure status: Privately disclosed.
There is a potential buffer overflow problem due to not confirming boundary condition before memory copy.
The supplied patch prevents buffer overflow by confirming the sizes of source and destination, but the Linux file permission already protects access to this code.


SVE-2016-7500: Multiple Buffer Overflows in TSP sysfs cmd_store

Severity: Low
Affected versions: M(6.0), N(7.0) devices with Exynos8890 chipset
Reported on: October 20, 2016
Disclosure status: Privately disclosed.
There are some potential buffer overflow problems in TSP sysfs due to not confirming boundary condition before memory copy.
The supplied patch prevents buffer overflow by confirming the sizes of source and destination, but the TSP sysfs is already protected by the Linux file permission.


SVE-2016-7501: Race condition in sec_ts touchscreen sysfs interface

Severity: Low
Affected versions: M(6.0), N(7.0) devices with MSM8939, MSM8996, MSM8998, Exynos7580, Exynos8890, or Exynos8895 chipset
Reported on: October 20, 2016
Disclosure status: Privately disclosed.
There is no synchronization mechanism between getting the size of the readbuffer and its actual reading, which can result in buffer overflow by race conditions.
The fix avoids race condition by using locking mechanism, but the sysfs is already protected by the Linux file permission.


SVE-2016-7510: Buffer overflow in "fps" sysfs entry

Severity: Low
Affected versions: KK(4.4), L(5.0/5.1), M(6.0), N(7.0)
Reported on: October 22, 2016
Disclosure status: Privately disclosed.
There is a potential buffer overflow problem in “fps” sysfs due to not confirming boundary condition before memory copy.
The supplied patch prevents buffer overflow by confirming the sizes of source and destination, but the "fps" sysfs is already protected by the Linux file permission.


SVE-2016-7551: Exposure of Kernel Address on the Log

Severity: Low
Affected versions: All devices with Exynos5 chipset
Reported on: October 25, 2016
Disclosure status: Privately disclosed.
The vulnerability allows unprivileged users to get kernel addresses from the log due to using wrong format specifier.
The fix shows ‘0’ value for the kernel addresses to unprivileged users.


SVE-2016-7650: VR Service Security Issue

Severity: Low
Affected versions: KK(4.4), L(5.0/5.1), M(6.0)
Reported on: November 8, 2016
Disclosure status: Privately disclosed.
There is no mechanism to limit to the number of active VR service threads, which can result in system crash by exceeding available number of system threads.
The patch prevents system crash by limiting the number of VR service threads at a time.


SVE-2016-7654: Secure data exposure in EAS autodiscover packet

Severity: High
Affected versions: KK(4.4), L(5.0/5.1), M(6.0), N(7.0)
Reported on: November 4, 2016
Disclosure status: Privately disclosed.
The vulnerability discloses user credentials to sub-domain whenever users log in at an email account under certain conditions.
The patch avoids disclosure by removing code sending user credentials.


SVE-2016-7751: Several Security flaws in libskia library

Severity: Moderate
Affected versions: M(6.0)
Reported on: November 29, 2016
Disclosure status: Privately disclosed.
The vulnerability allows an attacker to trigger a crash when parsing malformed images.
The patch prevents a crash by using fixed values instead of variable ones for buffers.


SVE-2016-7897: Several RKP issues

Severity: Moderate
Affected versions: M(6.0), N(7.0) devices with Exynos7420, Exynos8890, or MSM8996 chipset
Reported on: October 24, 2016
Disclosure status: Privately disclosed.
There are 6 vulnerabilities related with RKP, including memory corruption, information disclosure, privilege escalation, and authentication bypass.
The adequate remedies are applied to each vulnerability.

In addition, the following CVEs are included as part of Samsung security patches:
CVE-2016-8655(C)
* Severity : (C)-Critical, (H)-High, (M)-Moderate, (L)-Low

※ Some of the CVE items in certain models were already included in previous maintenance release(s) such that they may not be included in this package.

Some SVE items included in the Samsung Android Security Update cannot be disclosed at this time.


Acknowledgements

We truely appreciate the following researchers for helping Samsung to improve the security of our products.

- James Fang and Anthony LAOU HINE TSUEI of Tencent Keen Lab : SVE-2016-6362
- Ryan Johnson and Angelos Stavrou of Kryptowire : SVE-2016-6917
- Quhe of Ant-financial Light-Year Security Lab : SVE-2016-7122
- Qing Zhang of Qihoo 360 and Guangdong Bai of Singapore Institute of Technology (SIT) : SVE-2016-7183
- Gal Beniamini of Google Project Zero : SVE-2016-7340, SVE-2016-7466, SVE-2016-7484, SVE-2016-7500, SVE-2016-7501, SVE-2016-7510, SVE-2016-7551, SVE-2016-7897
- Yaoguang Chen of Ant-financial Light-Year Security Lab : SVE-2016-7650
- Nesterov Ilya and Goncharov Maxim : SVE-2016-7654