close

Samsung Mobile Security
Cookie Policy

Updated on Jan 17, 2022

This Cookie Policy describes the different types of cookies that may be used in connection with Samsung Mobile Security website which is owned and controlled by Samsung Electronics Co., Ltd (“Samsung Electronics”). This Cookie Policy also describes how you can manage cookies.

It’s important that you check back often for updates to the Policy as we may change it from time to time to reflect changes to our use of cookies. Please check the date at the top of this page to see when this Policy was last revised. Any changes to this Policy will become effective when we make the revised Policy available on our website.

Samsung Electronics has offices across Europe, so we can ensure that your request or query will be handled by the data protection team based in your region. If you have any questions, the easiest way to contact us is through our Privacy Support Page at https://www.samsung.com/request-desk.

You can also contact us at:

European Data Protection Officer
Samsung Electronics (UK) Limited
Samsung House, 2000 Hillswood Drive, Chertsey, Surrey KT16 0RS

Cookies

Cookies are small files that store information on your computer, TV, mobile phone, or other device. They enable the entity that put the cookie on your device to recognize you across different websites, services, devices, and/or browsing sessions.

We use the following types of cookies on this website:

Essential Cookies: enable you to receive the services you request via our website. Without these cookies, services that you have asked for cannot be provided. For example, these enable to identify users and provide proper service for each user. These cookies are automatically enabled and cannot be turned off because they are essential to enable you to browse our website. Without these cookies this Samsung Mobile Security website could not be provided.

Cookie Domain Purpose
JSESSIONID security.samsungmobile.com to keep login session
lastActivityTime security.samsungmobile.com to save the user's last activity time to automatically logout after 30 minutes of inactivity

Managing Cookies and Other Technologies

You can also update your browser settings at any time, if you want to remove or block cookies from your device (consult your browser's "help" menu to learn how to remove or block cookies). Samsung Electronics is not responsible for your browser settings. You can find good and simple instructions on how to manage cookies on the different types of web browsers at http://www.allaboutcookies.org.

Go straight to the menu Go straight to the text

Security Updates

Disclaimer

  • Please note that in some cases regular OS upgrades may cause delays to planned security updates. However, users can be rest assured the OS upgrades will include up-to-date security patches when delivered.
  • While we are doing our best to deliver the security patches as soon as possible to all applicable models, delivery time of security patches may vary depending on the regions and models.
  • Some patches to be received from chipset vendors (also known as Device Specific patches) may not be included in the security update package of the month. They will be included in upcoming security update packages as soon as the patches are ready to deliver.

Acknowledgements

Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process. This SMR package includes patches from Google and Samsung.


Google patches include patches up to Android Security Bulletin – December 2022 package. The Bulletin (December 2022) contains the following CVE items:

Critical
CVE-2021-35122, CVE-2022-20472, CVE-2022-20473, CVE-2022-20411, CVE-2022-20498

High
CVE-2021-1050, CVE-2021-39661, CVE-2022-32602, CVE-2021-35109, CVE-2021-35108, CVE-2021-35135, CVE-2021-35132, CVE-2022-25671, CVE-2022-33237, CVE-2022-33239, CVE-2022-25724, CVE-2022-25743, CVE-2022-25741, CVE-2022-38690, CVE-2022-2984, CVE-2022-38676, CVE-2022-38672, CVE-2022-39105, CVE-2022-38673, CVE-2022-2985, CVE-2022-38669, CVE-2022-38670, CVE-2022-20502, CVE-2021-39795, CVE-2022-20124, CVE-2022-20442, CVE-2022-20470, CVE-2022-20474, CVE-2022-20475, CVE-2022-20477, CVE-2022-20485, CVE-2022-20486, CVE-2022-20491, CVE-2022-20611, CVE-2021-0934, CVE-2022-20449, CVE-2022-20476, CVE-2022-20482, CVE-2022-20500, CVE-2022-20496, CVE-2022-20469, CVE-2022-20144, CVE-2022-20478, CVE-2022-20479, CVE-2022-20480, CVE-2022-20484, CVE-2022-20487, CVE-2022-20488, CVE-2022-20495, CVE-2022-20501, CVE-2022-20483, CVE-2022-20497, CVE-2021-39673, CVE-2022-20131, CVE-2022-20466 (Q10, R11, S12, S12L)

Moderate
CVE-2022-20468, CVE-2022-20466(T13)

Already included in previous updates
None

Not applicable to Samsung devices
CVE-2022-32601, CVE-2022-33234, CVE-2022-33236


※ Please see Android Security Bulletin for detailed information on Google patches.


Along with Google patches, Samsung Mobile provides 13 Samsung Vulnerabilities and Exposures (SVE) items described below, in order to improve our customer’s confidence on security of Samsung Mobile devices. Samsung security index (SSI), found in “Security software version”, SMR Dec-2022 Release 1 includes all patches from Samsung and Google. Some of the SVE items may not be included in this package, in case these items were already included in a previous maintenance release.


SVE-2022-2284(CVE-2022-39906): Improper access control vulnerability in SecTelephonyProvider

Severity: Moderate
Affected versions: Q(10), R(11), S(12), T(13)
Reported on: September 16, 2022
Disclosure status: Privately disclosed
Improper access control vulnerability in SecTelephonyProvider prior to SMR Dec-2022 Release 1 allows attackers to access message information.
The patch adds proper access control logic to prevent unauthorized access.


SVE-2022-2260(CVE-2022-39905): Implicit intent hijacking vulnerability in Telecom application

Severity: Moderate
Affected versions: Q(10), R(11), S(12), T(13)
Reported on: September 15, 2022
Disclosure status: Privately disclosed
Implicit intent hijacking vulnerability in Telecom application prior to SMR Dec-2022 Release 1 allows attacker to access sensitive information via implicit intent.
The patch adds proper permission in Telecom application to prevent unauthorized access.


SVE-2022-2249(CVE-2022-39904): Exposure of Sensitive Information vulnerability in Samsung Settings

Severity: Moderate
Affected versions: Q(10), R(11), S(12)
Reported on: September 14, 2022
Disclosure status: Privately disclosed
Exposure of Sensitive Information vulnerability in Samsung Settings prior to SMR Dec-2022 Release 1 allows local attackers to access the Network Access Identifier via log.
The patch fixes improper logging.


SVE-2022-2136(CVE-2022-39903): Improper access control vulnerability in RCS call

Severity: Moderate
Affected versions: Select Q(10), R(11), S(12), T(13) devices supporting RCS
Reported on: September 4, 2022
Disclosure status: Privately disclosed
Improper access control vulnerability in RCS call prior to SMR Dec-2022 Release 1 allows local attackers to access RCS incoming call number.
The patch adds proper permission to prevent unauthorized access.


SVE-2022-2078(CVE-2022-39908, CVE-2022-39907): Heap overflow vulnerabilities in Samsung decoding library for video thumbnails

Severity: Moderate
Affected versions: Q(10) and R(11) OS with libsadapter, S(12) and T(13) OS with libsthmbcadapter
Reported on: August 30, 2022
Disclosure status: Privately disclosed
Heap overflow vulnerabilities in Samsung decoding library for video thumbnails prior to SMR Dec-2022 Release 1 allow local attacker to perform Out-Of-Bounds Write.
The patch adds proper input validation logic and TOCTOU prevention code to prevent heap overflow.


SVE-2022-2034(CVE-2022-39902): Improper authorization in Exynos baseband

Severity: High
Affected versions: Select devices using Exynos CP chipsets
Reported on: August 23, 2022
Disclosure status: Privately disclosed
Improper authorization in Exynos baseband prior to SMR DEC-2022 Release 1 allows remote attacker to get sensitive information including IMEI via emergency call.
The patch adds proper authentication logic.


SVE-2022-2033(CVE-2022-39901): Improper authentication in Exynos baseband

Severity: High
Affected versions: Select devices using Exynos CP chipsets
Reported on: August 23, 2022
Disclosure status: Privately disclosed
Improper authentication in Exynos baseband prior to SMR DEC-2022 Release 1 allows remote attacker to disable the network traffic encryption between UE and gNodeB.
The patch adds proper authentication logic.


SVE-2022-1965(CVE-2022-39900): Improper access control vulnerability in Nice Catch

Severity: Moderate
Affected versions: R(11), S(12), T(13)
Reported on: August 17, 2022
Disclosure status: Privately disclosed
Improper access control vulnerability in Nice Catch prior to SMR Dec-2022 Release 1 allows physical attackers to access contents of all toast generated in the application installed in Secure Folder through Nice Catch.
The patch prevents accessing contents of toasts generated from other UserID.


SVE-2022-1929(CVE-2022-39899): Improper authentication vulnerability in WindowManagerService

Severity: High
Affected versions: Select Q(10), R(11), S(12), T(13) devices
Reported on: August 14, 2022
Disclosure status: Privately disclosed
Improper authentication vulnerability in Samsung WindowManagerService prior to SMR Dec-2022 Release 1 allows attacker to send the input event using S Pen gesture.
The patch adds proper permission check in WindowManagerService to prevent unauthorized access.


SVE-2022-1886(CVE-2022-39898): Improper access control vulnerability in IIccPhoneBook

Severity: Moderate
Affected versions: Q(10), R(11), S(12), T(13)
Reported on: August 5, 2022
Disclosure status: Privately disclosed
Improper access control vulnerability in IIccPhoneBook prior to SMR Dec-2022 Release 1 allows attackers to access some information of usim.
The patch adds proper permission to prevent unauthorized access.


SVE-2022-1849(CVE-2022-39897): Exposure of Sensitive Information vulnerability in Qualcomm kernel

Severity: Moderate
Affected versions: Selected Q(10), R(11), S(12) Qualcomm devices
Reported on: August 3, 2022
Disclosure status: Privately disclosed
Exposure of Sensitive Information vulnerability in kernel prior to SMR Dec-2022 Release 1 allows attackers to access the kernel address information via log.
The patch removes api that show kernel address.


SVE-2022-0914(CVE-2022-39896): Improper access control vulnerabilities in Contacts

Severity: Moderate
Affected versions: Q(10), R(11), S(12)
Reported on: April 13, 2022
Disclosure status: Privately disclosed
Improper access control vulnerabilities in Contacts prior to SMR Dec-2022 Release 1 allows to access sensitive information via implicit intent.
The patch adds proper access control.


SVE-2022-0699(CVE-2022-39895, CVE-2022-39894): Improper access control vulnerabilities in Phone

Severity: Moderate
Affected versions: Q(10), R(11), S(12)
Reported on: March 22, 2022
Disclosure status: Privately disclosed
Improper access control vulnerabilities in Phone prior to SMR Dec-2022 Release 1 allows to access sensitive information via implicit intent.
The patch adds proper access control.


Some SVE items included in the Samsung Android Security Update cannot be disclosed at this time.


Acknowledgements
Oversecured Inc: SVE-2022-2284, SVE-2022-2260, SVE-2022-2249, SVE-2022-2136, SVE-2022-1929, SVE-2022-1886
Anthony REMY with Thalium Team: SVE-2022-2078
Bedran Karakoc: SVE-2022-2034, SVE-2022-2033
ham2: SVE-2022-1965
Le Wu of Baidu Security: SVE-2022-1849
Sergey Toshin: SVE-2022-0914, SVE-2022-0699
Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process. This SMR package includes patches from Google and Samsung.


Google patches include patches up to Android Security Bulletin – November 2022 package. The Bulletin (November 2022) contains the following CVE items:

Critical
CVE-2022-25748, CVE-2022-25720, CVE-2022-33243

High
CVE-2021-0696, CVE-2021-0951, CVE-2021-0699, CVE-2022-20422, CVE-2022-20421, CVE-2022-20423, CVE-2022-25661, CVE-2022-25660, CVE-2022-25749, CVE-2022-25736, CVE-2022-33217, CVE-2022-33214, CVE-2022-22077, CVE-2022-2209, CVE-2022-20441, CVE-2022-20446, CVE-2022-20448, CVE-2022-20450, CVE-2022-20452, CVE-2022-20457, CVE-2022-20426, CVE-2022-20451, CVE-2022-20454, CVE-2022-20462, CVE-2022-20465, CVE-2022-20445, CVE-2022-20447, CVE-2022-20414, CVE-2022-20453, CVE-2022-20115

Moderate
CVE-2022-20409

Already included in previous updates
CVE-2022-20424, CVE-2022-25723

Not applicable to Samsung devices
CVE-2022-26472, CVE-2022-26471, CVE-2022-25687, CVE-2022-25718, CVE-2022-20430, CVE-2022-20431, CVE-2022-20432, CVE-2022-20433, CVE-2022-20434, CVE-2022-20435, CVE-2022-20436, CVE-2022-20437, CVE-2022-20440, CVE-2022-20438, CVE-2022-20439


※ Please see Android Security Bulletin for detailed information on Google patches.


Along with Google patches, Samsung Mobile provides 26 Samsung Vulnerabilities and Exposures (SVE) items described below, in order to improve our customer’s confidence on security of Samsung Mobile devices. Samsung security index (SSI), found in “Security software version”, SMR Nov-2022 Release 1 includes all patches from Samsung and Google. Some of the SVE items may not be included in this package, in case these items were already included in a previous maintenance release.


SVE-2022-1810(CVE-2022-39888): Improper access control vulnerability in MiscPolicy

Severity: Moderate
Affected versions: Q(10), R(11), S(12)
Reported on: July 30, 2022
Disclosure status: Privately disclosed
Improper access control vulnerability in retrieveExternalProxy in MiscPolicy prior to SMR Nov-2022 Release 1 allows local attacker to access to Proxy information.
The patch adds proper permission to prevent unauthorized access.


SVE-2022-1809(CVE-2022-39887): Improper access control vulnerability in MiscPolicy

Severity: Moderate
Affected versions: Q(10), R(11), S(12)
Reported on: July 30, 2022
Disclosure status: Privately disclosed
Improper access control vulnerability in clearAllGlobalProxy in MiscPolicy prior to SMR Nov-2022 Release 1 allows local attacker to configure EDM setting.
The patch adds proper permission to prevent unauthorized configuration.


SVE-2022-1743(CVE-2022-39886): Improper access control vulnerability in RIL

Severity: Moderate
Affected versions: Q(10), R(11), S(12)
Reported on: July 21, 2022
Disclosure status: Privately disclosed
Improper access control vulnerability in IpcRxServiceModeBigDataInfo in RIL prior to SMR Nov-2022 Release 1 allows local attacker to access Device information.
The patch adds proper access control in RIL to prevent unauthorized access.


SVE-2022-1717(CVE-2022-39885): Improper access control vulnerability in DeviceManagement

Severity: Moderate
Affected versions: Q(10), R(11), S(12)
Reported on: July 19, 2022
Disclosure status: Privately disclosed
Improper access control vulnerability in BootCompletedReceiver_CMCC in DeviceManagement prior to SMR Nov-2022 Release 1 allows local attacker to access to Device information.
The patch adds proper access control to prevent unauthorized access.


SVE-2022-1704(CVE-2022-39884): Improper access control vulnerability in IImsService

Severity: Moderate
Affected versions: Q(10), R(11), S(12)
Reported on: July 15, 2022
Disclosure status: Privately disclosed
Improper access control vulnerability in IImsService prior to SMR Nov-2022 Release 1 allows local attacker to access to Call information.
The patch adds the permission to prevent unauthorized access.


SVE-2022-1661(CVE-2022-39883): Improper authorization vulnerability in StorageManagerService

Severity: Moderate
Affected versions: Q(10), R(11), S(12)
Reported on: July 12, 2022
Disclosure status: Privately disclosed
Improper authorization vulnerability in StorageManagerService prior to SMR Nov-2022 Release 1 allows local attacker to call privileged API.
The patch adds proper permission to unprotected action to prevent unauthorized API call.


SVE-2022-1136(CVE-2022-39882): Heap overflow vulnerability in libsmat.so library

Severity: Moderate
Affected versions: Q(10), R(11), S(12)
Reported on: May 4, 2022
Disclosure status: Privately disclosed
Heap overflow vulnerability in sflacf_fal_bytes_peek function in libsmat.so library prior to SMR Nov-2022 Release 1 allows local attacker to execute arbitrary code.
The patch adds proper boundary check logic to prevent arbitrary code execution.


SVE-2022-0979(CVE-2022-39881): Improper input validation vulnerability in Exynos modems

Severity: High
Affected versions: Select devices using Exynos CP chipsets
Reported on: April 20, 2022
Disclosure status: Privately disclosed
Improper input validation vulnerability for processing SIB12 PDU in Exynos modems prior to SMR Nov-2022 Release 1 allows remote attacker to read out of bounds memory.
The patch adds proper validation logic to prevent out of bounds read.


SVE-2022-0746(CVE-2022-39880): Improper input validation vulnerability in DualOutFocusViewer

Severity: High
Affected versions: R(11), S(12)
Reported on: March 26, 2022
Disclosure status: Privately disclosed
Improper input validation vulnerability in DualOutFocusViewer prior to SMR Nov-2022 Release 1 allows local attacker to perform an arbitrary code execution.
The patch deletes related codes to prevent arbitrary code execution.


SVE-2022-0734(CVE-2022-39879): Improper authorization vulnerability in CallBGProvider

Severity: Moderate
Affected versions: R(11), S(12)
Reported on: March 25, 2022
Disclosure status: Privately disclosed
Improper authorization vulnerability in CallBGProvider prior to SMR Nov-2022 Release 1 allows local attacker to grant permission for accessing information with phone uid.
The patch adds proper validation logic to prevent unauthorized access.


Some SVE items included in the Samsung Android Security Update cannot be disclosed at this time.


Acknowledgements
Oversecured Inc: SVE-2022-1810, SVE-2022-1809, SVE-2022-1704
Sergey Toshin: SVE-2022-0746, SVE-2022-0734
hsia.angsh: SVE-2022-1743, SVE-2022-1717, SVE-2022-1661
mart1n and zraxx: SVE-2022-1136
Daniel Klischies: SVE-2022-0979
Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process. This SMR package includes patches from Google and Samsung.


Google patches include patches up to Android Security Bulletin – October 2022 package. The Bulletin (October 2022) contains the following CVE items:

Critical
CVE-2022-20419

High
CVE-2021-0942, CVE-2021-0943, CVE-2021-0697, CVE-2021-0871, CVE-2022-20399, CVE-2022-29582, CVE-2022-22091, CVE-2022-22066, CVE-2022-25696, CVE-2022-25690, CVE-2022-22095, CVE-2022-25656, CVE-2022-25670, CVE-2022-20388, CVE-2022-20387, CVE-2022-20385, CVE-2021-4083, CVE-2022-20420, CVE-2022-20351, CVE-2022-20413, CVE-2022-20418, CVE-2022-20412, CVE-2022-20416, CVE-2022-20417, CVE-2021-39628, CVE-2021-39673, CVE-2022-20394, CVE-2022-20410, CVE-2022-20425

Moderate
CVE-2021-39758, CVE-2022-20415

Already included in previous updates
CVE-2022-22089, CVE-2022-22081, CVE-2022-22093, CVE-2022-22094, CVE-2022-22092, CVE-2022-25704, CVE-2022-25693, CVE-2021-39624

Not applicable to Samsung devices
CVE-2022-26447, CVE-2022-22074, CVE-2022-25688, CVE-2022-25669, CVE-2022-25686, CVE-2022-25708, CVE-2022-25706, CVE-2022-20386, CVE-2022-20391, CVE-2022-20390, CVE-2022-20389


※ Please see Android Security Bulletin for detailed information on Google patches.


Along with Google patches, Samsung Mobile provides 18 Samsung Vulnerabilities and Exposures (SVE) items described below, in order to improve our customer’s confidence on security of Samsung Mobile devices. Samsung security index (SSI), found in “Security software version”, SMR Oct-2022 Release 1 includes all patches from Samsung and Google. Some of the SVE items may not be included in this package, in case these items were already included in a previous maintenance release.


SVE-2022-1782(CVE-2022-39856): Improper access control vulnerability in imsservice application

Severity: Moderate
Affected versions: S(12)
Reported on: July 26, 2022
Disclosure status: Privately disclosed
Improper access control vulnerability in imsservice application prior to SMR Oct-2022 Release 1 allows local attackers to access call information.
The patch adds proper access control logic to prevent unauthorized access.


SVE-2022-1655(CVE-2022-39855): Improper access control vulnerability in FACM application

Severity: Moderate
Affected versions: Q(10), R(11), S(12)
Reported on: July 12, 2022
Disclosure status: Privately disclosed
Improper access control vulnerability in FACM application prior to SMR Oct-2022 Release 1 allows a local attacker to connect arbitrary AP and Bluetooth devices.
The patch adds proper access control logic to prevent unauthorized access.


SVE-2022-1586(CVE-2022-39848): Exposure of SerialNo through Logcat in AT_Distributor

Severity: Moderate
Affected versions: Q(10), R(11), S(12)
Reported on: June 30, 2022
Disclosure status: Privately disclosed
Exposure of sensitive information in AT_Distributor prior to SMR Oct-2022 Release 1 allows local attacker to access SerialNo via log.
The patch removes the log that prints SerialNo.


SVE-2022-1406(CVE-2022-39850, CVE-2022-39849): Improper access control in knox_vpn_policy and mum_container_policy services

Severity: Moderate
Affected versions: Q(10), R(11), S(12)
Reported on: June 10, 2022
Disclosure status: Privately disclosed
Improper access control in knox_vpn_policy and mum_container_policy services prior to SMR Oct-2022 Release 1 allows unauthorized read of configuration data.
The patch adds proper caller check to prevent to read configuration data.


SVE-2022-1371(CVE-2022-39851): Improper access control vulnerability in CocktailBarService

Severity: Moderate
Affected versions: Q(10), R(11), S(12)
Reported on: June 6, 2022
Disclosure status: Privately disclosed
Improper access control vulnerability in CocktailBarService prior to SMR Oct-2022 Release 1 allows local attacker to bind service that require BIND_REMOTEVIEWS permission.
The patch adds the permission to prevent improper access.


SVE-2022-1300(CVE-2022-39854): Improper protection in IOMMU

Severity: Critical
Affected versions: Selected Q(10), R(11), S(12) Exynos devices
Reported on: May 22, 2022
Disclosure status: Privately disclosed
Improper protection in IOMMU prior to SMR Oct-2022 Release 1 allows unauthorized access to secure memory.
The patch adds proper protection logic to prevent invalid memory access.


SVE-2022-1253(CVE-2022-39847): Use after free vulnerability in set_nft_pid and signal_handler function of NFC driver

Severity: Moderate
Affected versions: Q(10), R(11), S(12)
Reported on: May 16, 2022
Disclosure status: Privately disclosed
Use after free vulnerability in set_nft_pid and signal_handler function of NFC driver prior to SMR Oct-2022 Release 1 allows attackers to perform malicious actions.
The patch adds proper mutual exclusion check logic to prevent use after free.


SVE-2022-1251(CVE-2022-39853): Use After Free vulnerability in perf-mgr driver

Severity: Moderate
Affected versions: Q(10), R(11), S(12) devices with Qualcomm SM8150 and SM8250 chipsets
Reported on: May 16, 2022
Disclosure status: Privately disclosed
A use after free vulnerability in perf-mgr driver prior to SMR Oct-2022 Release 1 allows attacker to cause memory access fault.
The patch adds proper check logic to prevent use after free.


SVE-2022-1212(CVE-2022-36868): Leak of MAC address of connected Bluetooth device in MouseNKeyHidDevice

Severity: Moderate
Affected versions: R(11), S(12)
Reported on: May 11, 2022
Disclosure status: Privately disclosed
Improper restriction of broadcasting Intent in MouseNKeyHidDevice prior to SMR Oct-2022 Release 1 leaks MAC address of the connected Bluetooth device.
The patch adds proper package restriction logic.


SVE-2022-0998(CVE-2022-39852): A heap-based overflow vulnerability in libagifencoder.quram.so library

Severity: High
Affected versions: Q(10), R(11), S(12)
Reported on: April 21, 2022
Disclosure status: Privately disclosed
A heap-based overflow vulnerability in makeContactAGIF in libagifencoder.quram.so library prior to SMR Oct-2022 Release 1 allows attacker to perform code execution.
The patch adds proper boundary check logic to prevent buffer overflow.


Some SVE items included in the Samsung Android Security Update cannot be disclosed at this time.


Acknowledgements
Zhang Qing: SVE-2022-1782
hsia.angsh: SVE-2022-1655, SVE-2022-1586
Dawuge of Pangu Team: SVE-2022-1406, SVE-2022-1371
Martijn Bogaard of Riscure: SVE-2022-1300
Le Wu of Baidu Security: SVE-2022-1253, SVE-2022-1251
Hao Zhou, Xiapu Luo from PolyU, Haoyu wang from HUST, Haipeng Cai from WSU: SVE-2022-1212
mart1n and zraxx: SVE-2022-0998
Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process. This SMR package includes patches from Google and Samsung.


Google patches include patches up to Android Security Bulletin – September 2022 package. The Bulletin (September 2022) contains the following CVE items:

Critical
None

High
CVE-2021-39815, CVE-2022-20122, CVE-2021-0947, CVE-2021-0946, CVE-2021-0698, CVE-2021-0887, CVE-2021-0891, CVE-2021-30259, CVE-2022-22062, CVE-2022-22070, CVE-2022-22067, CVE-2022-22822, CVE-2022-23852, CVE-2022-23990, CVE-2022-25314, CVE-2022-20218, CVE-2022-20392, CVE-2022-20393, CVE-2022-20395, CVE-2022-20398, CVE-2022-20396

Moderate
CVE-2022-20197, CVE-2020-0500, CVE-2020-0293

Already included in previous updates
CVE-2022-22080, CVE-2022-20239

Not applicable to Samsung devices
CVE-2022-22061, CVE-2022-22069, CVE-2022-22059, CVE-2022-25668


※ Please see Android Security Bulletin for detailed information on Google patches.


Along with Google patches, Samsung Mobile provides 29 Samsung Vulnerabilities and Exposures (SVE) items described below, in order to improve our customer’s confidence on security of Samsung Mobile devices. Samsung security index (SSI), found in “Security software version”, SMR Sep-2022 Release 1 includes all patches from Samsung and Google. Some of the SVE items may not be included in this package, in case these items were already included in a previous maintenance release.


SVE-2022-1254(CVE-2022-36847): Use after free vulnerability in mtp_send_signal function of MTP driver

Severity: Moderate
Affected versions: Q(10), R(11)
Reported on: May 17, 2022
Disclosure status: Privately disclosed
Use after free vulnerability in mtp_send_signal function of MTP driver prior to SMR Sep-2022 Release 1 allows attackers to perform malicious actions.
The patch adds proper mutual exclusion check logic to prevent use after free.


SVE-2022-1249(CVE-2022-36849): Use after free vulnerability in sdp_mm_set_process_sensitive function of sdpmm driver

Severity: Moderate
Affected versions: Q(10), R(11), S(12)
Reported on: May 16, 2022
Disclosure status: Privately disclosed
Use after free vulnerability in sdp_mm_set_process_sensitive function of sdpmm driver prior to SMR Sep-2022 Release 1 allows attackers to perform malicious actions.
The patch adds proper mutual exclusion check logic to prevent use after free.


SVE-2022-1086(CVE-2022-36845): A heap-based overflow vulnerability in libSDKRecognitionText.spensdk.samsung.so library

Severity: Moderate
Affected versions: Q(10), R(11), S(12)
Reported on: April 28, 2022
Disclosure status: Privately disclosed
A heap-based overflow vulnerability in MHW_RECOG_LIB_INFO function in libSDKRecognitionText.spensdk.samsung.so library prior to SMR Sep-2022 Release 1 allows attacker to cause memory access fault.
The patch adds proper boundary check logic to prevent buffer overflow.


SVE-2022-1083(CVE-2022-36841): A heap-based overflow vulnerability in libSDKRecognitionText.spensdk.samsung.so library

Severity: Moderate
Affected versions: Q(10), R(11), S(12)
Reported on: April 28, 2022
Disclosure status: Privately disclosed
A heap-based overflow vulnerability in PrepareRecogLibrary_Part function in libSDKRecognitionText.spensdk.samsung.so library prior to SMR Sep-2022 Release 1 allows attacker to cause memory access fault.
The patch adds proper boundary check logic to prevent buffer overflow.


SVE-2022-1082(CVE-2022-36844): A heap-based overflow vulnerability in libSDKRecognitionText.spensdk.samsung.so library

Severity: Moderate
Affected versions: Q(10), R(11), S(12)
Reported on: April 28, 2022
Disclosure status: Privately disclosed
A heap-based overflow vulnerability in HWR::EngJudgeModel::Construct() in libSDKRecognitionText.spensdk.samsung.so library prior to SMR Sep-2022 Release 1 allows attacker to cause memory access fault.
The patch adds proper boundary check logic to prevent buffer overflow.


SVE-2022-1081(CVE-2022-36843): A heap-based overflow vulnerability in libSDKRecognitionText.spensdk.samsung.so library

Severity: Moderate
Affected versions: Q(10), R(11), S(12)
Reported on: April 28, 2022
Disclosure status: Privately disclosed
A heap-based overflow vulnerability in MHW_RECOG_LIB_INFO function in libSDKRecognitionText.spensdk.samsung.so library prior to SMR Sep-2022 Release 1 allows attacker to cause memory access fault.
The patch adds proper boundary check logic to prevent buffer overflow.


SVE-2022-1080(CVE-2022-36860): A heap-based overflow vulnerability in libSDKRecognitionText.spensdk.samsung.so library

Severity: Moderate
Affected versions: Q(10), R(11), S(12)
Reported on: April 28, 2022
Disclosure status: Privately disclosed
A heap-based overflow vulnerability in LoadEnvironment function in libSDKRecognitionText.spensdk.samsung.so library prior to SMR Sep-2022 Release 1 allows attacker to cause memory access fault.
The patch adds proper boundary check logic to prevent buffer overflow.


SVE-2022-1079(CVE-2022-36863): A heap-based overflow vulnerability in libSDKRecognitionText.spensdk.samsung.so library

Severity: Moderate
Affected versions: Q(10), R(11), S(12)
Reported on: April 28, 2022
Disclosure status: Privately disclosed
A heap-based overflow vulnerability in GetCorrectDbLanguageTypeEsPKc function in libSDKRecognitionText.spensdk.samsung.so library prior to SMR Sep-2022 Release 1 allows attacker to cause memory access fault.
The patch adds proper boundary check logic to prevent buffer overflow.


SVE-2022-1077(CVE-2022-36862): A heap-based overflow vulnerability in libSDKRecognitionText.spensdk.samsung.so library

Severity: Moderate
Affected versions: Q(10), R(11), S(12)
Reported on: April 28, 2022
Disclosure status: Privately disclosed
A heap-based overflow vulnerability in HWR::EngineCJK::Impl::Construct() in libSDKRecognitionText.spensdk.samsung.so library prior to SMR Sep-2022 Release 1 allows attacker to cause memory access fault.
The patch adds proper boundary check logic to prevent buffer overflow.


SVE-2022-1076(CVE-2022-36842): A heap-based overflow vulnerability in libSDKRecognitionText.spensdk.samsung.so library

Severity: Moderate
Affected versions: Q(10), R(11), S(12)
Reported on: April 28, 2022
Disclosure status: Privately disclosed
A heap-based overflow vulnerability in prepareRecogLibrary function in libSDKRecognitionText.spensdk.samsung.so library prior to SMR Sep-2022 Release 1 allows attacker to cause memory access fault.
The patch adds proper boundary check logic to prevent buffer overflow.


SVE-2022-1075(CVE-2022-36846): A heap-based overflow vulnerability in libSDKRecognitionText.spensdk.samsung.so library

Severity: Moderate
Affected versions: Q(10), R(11), S(12)
Reported on: April 28, 2022
Disclosure status: Privately disclosed
A heap-based overflow vulnerability in ConstructDictionary function in libSDKRecognitionText.spensdk.samsung.so library prior to SMR Sep-2022 Release 1 allows attacker to cause memory access fault.
The patch adds proper boundary check logic to prevent buffer overflow.


SVE-2022-1074(CVE-2022-36858): A heap-based overflow vulnerability in libSDKRecognitionText.spensdk.samsung.so library

Severity: Moderate
Affected versions: Q(10), R(11), S(12)
Reported on: April 28, 2022
Disclosure status: Privately disclosed
A heap-based overflow vulnerability in GetCorrectDbLanguageTypeEsPKc() function in libSDKRecognitionText.spensdk.samsung.so library prior to SMR Sep-2022 Release 1 allows attacker to cause memory access fault.
The patch adds proper boundary check logic to prevent buffer overflow.


SVE-2022-1037(CVE-2022-36854): Out of bound read in libapexjni.media.samsung.so

Severity: Moderate
Affected versions: Q(10), R(11), S(12)
Reported on: April 25, 2022
Disclosure status: Privately disclosed
Out of bound read in libapexjni.media.samsung.so prior to SMR Sep-2022 Release 1 allows attacker access unauthorized information.
The patch adds length check logic.


SVE-2022-0934(CVE-2022-36848): Improper Authorization vulnerability in setDualDARPolicyCmd

Severity: High
Affected versions: Q(10), R(11), S(12)
Reported on: April 16, 2022
Disclosure status: Privately disclosed
Improper Authorization vulnerability in setDualDARPolicyCmd prior to SMR Sep-2022 Release 1 allows local attackers to cause local permanent denial of service.
The patch adds caller check logic.


SVE-2022-0899(CVE-2022-36852): Improper Authorization vulnerability in Video Editor

Severity: Moderate
Affected versions: R(11), S(12)
Reported on: April 12, 2022
Disclosure status: Privately disclosed
Improper Authorization vulnerability in Video Editor prior to SMR Sep-2022 Release 1 allows local attacker to access internal application data.
The patch adds the proper validation of the broadcast.


SVE-2022-0853(CVE-2022-36861): Custom permission misuse in SystemUI

Severity: Moderate
Affected versions: Q(10), R(11), S(12)
Reported on: April 5, 2022
Disclosure status: Privately disclosed
Custom permission misuse vulnerability in SystemUI prior to SMR Sep-2022 Release 1 allows attacker to use some protected functions with SystemUI privilege.
The patch adds the permission in framework.


SVE-2022-0815(CVE-2022-36853): Intent redirection in Photo Editor

Severity: Moderate
Affected versions: Q(10), R(11), S(12)
Reported on: April 1, 2022
Disclosure status: Privately disclosed
Intent redirection in Photo Editor prior to SMR Sep-2022 Release 1 allows attacker to get sensitive information.
The patch adds flag check logic.


SVE-2022-0803(CVE-2022-36856): Improper access control vulnerability in Telecom application

Severity: Moderate
Affected versions: S(12)
Reported on: March 31, 2022
Disclosure status: Privately disclosed
Improper access control vulnerability in Telecom application prior to SMR Sep-2022 Release 1 allows attacker to start emergency calls via undefined permission.
The patch defined a proper permission to prevent improper access to emergency call.


SVE-2022-0706(CVE-2022-36857): Improper Authorization vulnerability in Photo Editor

Severity: Moderate
Affected versions: R(11) and Photo Editor prior to 3.0.23.43 in S(12)
Reported on: March 22, 2022
Disclosure status: Privately disclosed
Improper Authorization vulnerability in Photo Editor prior to SMR Sep-2022 Release 1 allows physical attackers to read internal application data.
The patch adds the proper validation of the broadcast.


SVE-2022-0702(CVE-2022-36850): Path traversal vulnerability in CallBGProvider

Severity: Moderate
Affected versions: S(12)
Reported on: March 22, 2022
Disclosure status: Privately disclosed
Path traversal vulnerability in CallBGProvider prior to SMR Sep-2022 Release 1 allows attacker to overwrite arbitrary file with phone uid.
The patch adds proper input validation.


SVE-2022-0619(CVE-2022-36855): Use After Free vulnerability in iva_ctl driver

Severity: Moderate
Affected versions: Q(10), R(11), S(12) devices with Exynos 9810 and Exynos 9820 chipsets
Reported on: March 17, 2022
Disclosure status: Privately disclosed
A use after free vulnerability in iva_ctl driver prior to SMR Sep-2022 Release 1 allows attacker to cause memory access fault.
The patch adds proper check logic to prevent use after free.


Some SVE items included in the Samsung Android Security Update cannot be disclosed at this time.


Acknowledgements
Le Wu of Baidu Security: SVE-2022-1254, SVE-2022-1249, SVE-2022-0619
mart1n and zraxx: SVE-2022-1086, SVE-2022-1083, SVE-2022-1082, SVE-2022-1081, SVE-2022-1080, SVE-2022-1079, SVE-2022-1077, SVE-2022-1075, SVE-2022-1074, SVE-2022-1037
mart1n: SVE-2022-1076
hsiaangsh: SVE-2022-0934
Sergey Toshin: SVE-2022-0899, SVE-2022-0815, SVE-2022-0702
Dzmitry Lukyanenka: SVE-2022-0853, SVE-2022-0803
Dawn Security Lab, JD.com: SVE-2022-0706
Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process. This SMR package includes patches from Google and Samsung.


Google patches include patches up to Android Security Bulletin – August 2022 package. The Bulletin (August 2022) contains the following CVE items:

Critical
CVE-2022-20345

High
CVE-2022-20083,CVE-2022-21744,CVE-2022-20236,CVE-2022-20238,CVE-2022-20220,CVE-2021-39696,CVE-2022-20344,CVE-2022-20348,CVE-2022-20349,CVE-2022-20356,CVE-2022-20350,CVE-2022-20352,CVE-2022-20357,CVE-2022-20358,CVE-2022-20346,CVE-2022-20353,CVE-2022-20347,CVE-2022-20354,CVE-2022-20360,CVE-2022-20361,CVE-2022-20355,CVE-2022-1786,CVE-2022-20082

Moderate
None

Already included in previous updates
CVE-2022-22058,CVE-2022-20227

Not applicable to Samsung devices
CVE-2022-22096,CVE-2022-25659,CVE-2022-25657,CVE-2022-25658,CVE-2022-21764,CVE-2022-21763,CVE-2022-21767,CVE-2022-21768,CVE-2022-20216,CVE-2022-20217


※ Please see Android Security Bulletin for detailed information on Google patches.


Along with Google patches, Samsung Mobile provides 31 Samsung Vulnerabilities and Exposures (SVE) items described below, in order to improve our customer’s confidence on security of Samsung Mobile devices. Samsung security index (SSI), found in “Security software version”, SMR Aug-2022 Release 1 includes all patches from Samsung and Google. Some of the SVE items may not be included in this package, in case these items were already included in a previous maintenance release.


SVE-2022-1261(CVE-2022-33723): Tapjacking and overlay attack in BluetoothScanDialog

Severity: Moderate
Affected versions: Q(10), R(11), S(12)
Reported on: May 17, 2022
Disclosure status: Privately disclosed
A vulnerable code in onCreate of BluetoothScanDialog prior to SMR Aug-2022 Release 1 allows attackers to trick the user to select an unwanted bluetooth device via tapjacking and overlay attack.
The patch adds flag to prevent tapjacking and overlay attack.


SVE-2022-1260(CVE-2022-33727): Tapjacking and overlay attack in SecDevicePickerDialog

Severity: Moderate
Affected versions: Q(10), R(11), S(12)
Reported on: May 17, 2022
Disclosure status: Privately disclosed
A vulnerable code in onCreate of SecDevicePickerDialog prior to SMR Aug-2022 Release 1 allows attackers to trick the user to select an unwanted bluetooth device via tapjacking and overlay attack.
The patch adds flag to prevent tapjacking and overlay attack.


SVE-2022-1213(CVE-2022-33729): Leak of MAC address of connected Bluetooth device in NFC

Severity: Moderate
Affected versions: Q(10), R(11), S(12)
Reported on: May 12, 2022
Disclosure status: Privately disclosed
Improper restriction of broadcasting Intent in ConfirmConnectActivity of NFC prior to SMR Aug-2022 Release 1 leaks MAC address of the connected Bluetooth device.
The patch adds proper package restriction logic.


SVE-2022-1170(CVE-2022-33728): Leak of MAC address of connected Bluetooth device

Severity: Moderate
Affected versions: Q(10), R(11), S(12)
Reported on: May 6, 2022
Disclosure status: Privately disclosed
Exposure of sensitive information in Bluetooth prior to SMR Aug-2022 Release 1 allows local attackers to access connected BT macAddress via Settings.Gloabal.
The patch protect information to prevent access unauthorized applications.


SVE-2022-0964(CVE-2022-33716): Information leak in ICCC TA

Severity: Moderate
Affected versions: R(11), S(12)
Reported on: April 19, 2022
Disclosure status: Privately disclosed
An absence of variable initialization in ICCC TA prior to SMR Aug-2022 Release 1 allows local attacker to read uninitialized memory.
The patch adds variable initialization before use.


SVE-2022-0963(CVE-2022-33717): Out of bound read in SEM TA

Severity: Moderate
Affected versions: R(11), S(12)
Reported on: April 19, 2022
Disclosure status: Privately disclosed
A missing input validation before memory read in SEM TA prior to SMR Aug-2022 Release 1 allows local attackers to read out of bound memory.
The patch adds input validation to prevent out of bound read.


SVE-2022-0953(CVE-2022-33725): PendingIntent hijacking vulnerability in Knox VPN

Severity: High
Affected versions: Q(10), R(11)
Reported on: April 18, 2022
Disclosure status: Privately disclosed
A vulnerability using PendingIntent in Knox VPN prior to SMR Aug-2022 Release 1 allows attackers to access content providers with system privilege.
The patch addresses the intent in Knox VPN to prevent unprivileged access.


SVE-2022-0897(CVE-2022-33715): Improper access control and path traversal vulnerability in LauncherProvider

Severity: Moderate
Affected versions: R(11), S(12)
Reported on: April 11, 2022
Disclosure status: Privately disclosed
Improper access control and path traversal vulnerability in LauncherProvider prior to SMR Aug-2022 Release 1 allow local attacker to access files of One UI.
The patch adds proper validation logic to prevent arbitrary files access.


SVE-2022-0889(CVE-2022-33718): Manipulate the list of apps that can use mobile data in Wi-Fi service

Severity: Moderate
Affected versions: Q(10), R(11), S(12)
Reported on: April 8, 2022
Disclosure status: Privately disclosed
An improper access control vulnerability in Wi-Fi Service prior to SMR AUG-2022 Release 1 allows untrusted applications to manipulate the list of apps that can use mobile data.
The patch adds proper access control to use protected-broadcast.


SVE-2022-0871(CVE-2022-33714): Improper access control vulnerability in SemWifiApBroadcastReceiver

Severity: Moderate
Affected versions: Q(10), R(11), S(12)
Reported on: April 6, 2022
Disclosure status: Privately disclosed
Improper access control vulnerability in SemWifiApBroadcastReceiver prior to SMR Aug-2022 Release 1 allows attacker to reset a setting value related to mobile hotspot.
The patch adds proper protection to prevent unintended access by unauthorized applications.


SVE-2022-0824(CVE-2022-33731): Improper access control vulnerability in DesktopSystemUI

Severity: Moderate
Affected versions: R(11), S(12)
Reported on: April 2, 2022
Disclosure status: Privately disclosed
Improper access control vulnerability in DesktopSystemUI prior to SMR Aug-2022 Release 1 allows attackers to enable and disable arbitrary components.
The patch deletes related codes to prevent unauthorized access.


SVE-2022-0805(CVE-2022-33732): Possible to scan and connect to PC in Samsung Dex for PC

Severity: Moderate
Affected versions: S(12)
Reported on: March 31, 2022
Disclosure status: Privately disclosed
Improper access control vulnerability in Samsung Dex for PC prior to SMR Aug-2022 Release 1 allows local attackers to scan and connect to PC by unprotected binder call.
The patch adds proper permission check in Samsung Dex for PC to prevent unauthorized access.


SVE-2022-0788(CVE-2022-33721): PendingIntent hijacking vulnerability in DeX for PC

Severity: High
Affected versions: S(12)
Reported on: March 29, 2022
Disclosure status: Privately disclosed
A vulnerability using PendingIntent in DeX for PC prior to SMR Aug-2022 Release 1 allows attackers to access files with system privilege.
The patch addresses the Intent in DeX for PC to prevent unprivileged access.


SVE-2022-0769(CVE-2022-33722): Implicit intent hijacking in Smart View

Severity: Moderate
Affected versions: Select S(12) devices
Reported on: March 28, 2022
Disclosure status: Privately disclosed
Implicit Intent hijacking vulnerability in Smart View prior to SMR Aug-2022 Release 1 allows attacker to access connected device MAC address.
The patch changes implicit intent to explicit intent.


SVE-2022-0753(CVE-2022-33726): Intent redirection vulnerability in Samsung Galaxy Friends

Severity: Moderate
Affected versions: Q(10), R(11), S(12)
Reported on: March 26, 2022
Disclosure status: Privately disclosed
Unprotected dynamic receiver in Samsung Galaxy Friends prior to SMR Aug-2022 Release 1 allows attacker to launch activity.
The patch removes unused code.


SVE-2022-0726(CVE-2022-33724): Exposure of Sensitive Information in Samsung Dialer application

Severity: Moderate
Affected versions: Q(10), R(11), S(12)
Reported on: March 24, 2022
Disclosure status: Privately disclosed
Exposure of Sensitive Information in Samsung Dialer application prior to SMR Aug-2022 Release 1 allows local attackers to access ICCID via log.
The patch fixes improper logging.


SVE-2022-0448(CVE-2022-33719): Improper input validation in baseband

Severity: Critical
Affected versions: Selected Q(10), R(11), S(12) devices with S.LSI CP chipsets
Reported on: February 26, 2022
Disclosure status: Privately disclosed
Improper input validation in baseband prior to SMR Aug-2022 Release 1 allows attackers to cause integer overflow to heap overflow.
The patch adds proper validation logic to prevent integer overflow.


SVE-2022-0429(CVE-2022-33730): Heap-based buffer overflow in Samsung Dex for PC

Severity: High
Affected versions: S(12)
Reported on: February 21, 2022
Disclosure status: Privately disclosed
Heap-based buffer overflow vulnerability in Samsung Dex for PC prior to SMR Aug-2022 Release 1 allows arbitrary code execution by physical attackers.
The patch adds proper boundary check and input validation to prevent buffer overflow.


SVE-2021-24426(CVE-2022-33720): Improper authentication vulnerability in AppLock

Severity: Moderate
Affected versions: Q(10), R(11)
Reported on: December 31, 2021
Disclosure status: Privately disclosed
Improper authentication vulnerability in AppLock prior to SMR Aug-2022 Release 1 allows physical attacker to access Chrome locked by AppLock via new tap shortcut.
The patch adds proper authentication to prevent unintended access app locked by AppLock.


Some SVE items included in the Samsung Android Security Update cannot be disclosed at this time.


Acknowledgements
Hao Zhou, Xiapu Luo from PolyU, Haoyu Wang from HUST, Haipeng Cai from WSU: SVE-2022-1213, SVE-2022-1260, SVE-2022-1261
Jenny Zhang: SVE-2022-1170
Zhongjie Wang: SVE-2022-0963, SVE-2022-0964
Zhang Qing: SVE-2022-0726
Sergey Toshin of Oversecured Inc: SVE-2022-0753, SVE-2022-0769, SVE-2022-0788, SVE-2022-0805, SVE-2022-0824, SVE-2022-0897, SVE-2022-0953
Dzmitry Lukyanenka: SVE-2022-0871, SVE-2022-0889
DaiGe of Tencent Security Xlab: SVE-2022-0429
Jayanth B: SVE-2021-24426
Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process. This SMR package includes patches from Google and Samsung.


Google patches include patches up to Android Security Bulletin – July 2022 package. The Bulletin (July 2022) contains the following CVE items:

Critical
CVE-2022-20210,CVE-2022-20222,CVE-2022-20229

High
CVE-2022-20141,CVE-2021-4154,CVE-2022-20136,CVE-2022-25258,CVE-2022-20132,CVE-2022-21745,CVE-2021-35102,CVE-2021-35111,CVE-2021-35083, CVE-2022-20219,CVE-2022-20228,CVE-2021-0981,CVE-2022-20223,CVE-2022-20226,CVE-2022-20221,CVE-2022-20224,CVE-2022-20225,CVE-2022-20230,CVE-2021-39703,CVE-2022-20115

Moderate
None

Already included in previous updates
CVE-2022-22090,CVE-2021-0341

Not applicable to Samsung devices
CVE-2022-24958,CVE-2022-22085,CVE-2022-22087,CVE-2022-22084,CVE-2022-22083,CVE-2022-22082,CVE-2022-22086


※ Please see Android Security Bulletin for detailed information on Google patches.


Along with Google patches, Samsung Mobile provides 41 Samsung Vulnerabilities and Exposures (SVE) items described below, in order to improve our customer’s confidence on security of Samsung Mobile devices. Samsung security index (SSI), found in “Security software version”, SMR Jul-2022 Release 1 includes all patches from Samsung and Google. Some of the SVE items may not be included in this package, in case these items were already included in a previous maintenance release.


SVE-2021-24229(CVE-2022-30750, CVE-2022-30751, CVE-2022-30752): Improper access control vulnerability in SemWifiApTetheredClientInfo

Severity: Moderate
Affected versions: Q(10), R(11), S(12)
Reported on: December 14, 2021
Disclosure status: Privately disclosed.
Improper access control vulnerability in SemWifiApClient prior to SMR Jul-2022 Release 1 allows attacker to access Wi-Fi AP client MAC address without permission.
The patch adds proper protection to prevent unintended access by unauthorized applications


SVE-2021-24263(CVE-2022-30753): A unique device ID leak in SecSoterService

Severity: Moderate
Affected versions: Q(10), R(11), S(12)
Reported on: December 14, 2021
Disclosure status: Privately disclosed.
Improper use of a unique device ID in unprotected SecSoterService prior to SMR Jul-2022 Release 1 allows local attackers to get the device ID without permission.
The patch removes improper use of the device ID.


SVE-2022-0352(CVE-2022-30754): Arbitrary activity start in AppLinker

Severity: High
Affected versions: Q(10), R(11), S(12)
Reported on: February 13, 2022
Disclosure status: Privately disclosed.
Implicit Intent hijacking vulnerability in AppLinker prior to SMR Jul-2022 Release 1 allows attackers to launch certain activities with privilege of AppLinker.
The patch removes unused code.


SVE-2022-0519(CVE-2022-30755): User interaction bypass in App lock

Severity: High
Affected versions: Q(10), R(11), S(12)
Reported on: March 7, 2022
Disclosure status: Privately disclosed.
Improper authentication vulnerability in AppLock prior to SMR Jul-2022 Release 1 allows attacker to bypass password confirm activity by hijacking the implicit intent.
The patch changes implicit Intent to explicit Intent to prevent hijacking from unprivileged applications.


SVE-2022-0527(CVE-2022-30756): Arbitrary activity start in Finder

Severity: High
Affected versions: Q(10), R(11), S(12)
Reported on: March 8, 2022
Disclosure status: Privately disclosed.
Implicit Intent hijacking vulnerability in Finder prior to SMR Jul-2022 Release 1 allows attackers to launch certain activities with privilege of Finder.
The patch adds proper access control logic.


SVE-2022-0533(CVE-2022-30757): Exposure of Sensitive Information in isemtelephony

Severity: Moderate
Affected versions: Q(10), R(11), S(12)
Reported on: March 9, 2022
Disclosure status: Privately disclosed.
Improper authorization in isemtelephony prior to SMR Jul-2022 Release 1 allows attacker to obtain CID without permission.
The patch removes sensitive information from return data when caller do not grant permission.


SVE-2022-0537(CVE-2022-30758): Implicit intent hijacking in Finder

Severity: Moderate
Affected versions: Q(10), R(11), S(12)
Reported on: March 9, 2022
Disclosure status: Privately disclosed.
Implicit intent hijacking vulnerability in Finder prior to SMR Jul-2022 Release 1 allows attackers to access some protected information with privilege of Finder.
The patch changes implicit intent to explicit Intent to prevent hijacking from unprivileged applications.


SVE-2022-0595(CVE-2022-33685): Unprotected dynamic receiver in Wearable Manager Installer

Severity: Moderate
Affected versions: Q(10), R(11), S(12)
Reported on: March 15, 2022
Disclosure status: Privately disclosed.
Unprotected dynamic receiver in Wearable Manager Service prior to SMR Jul-2022 Release 1 allows attacker to launch arbitrary activity and access sensitive information.
The patch removes unused code.


SVE-2022-0674(CVE-2022-33686): Exposure of Sensitive Information vulnerability in GsmAlarmManager

Severity: Moderate
Affected versions: Q(10), R(11), S(12)
Reported on: March 19, 2022
Disclosure status: Privately disclosed.
Exposure of Sensitive Information in GsmAlarmManager prior to SMR Jul-2022 Release 1 allows local attacker to access ICCID via log.
The patch fixes improper logging.


SVE-2022-0675(CVE-2022-33687): IMSI leak in telephony-common.jar via logcat

Severity: Moderate
Affected versions: Q(10), R(11), S(12)
Reported on: March 19, 2022
Disclosure status: Privately disclosed.
Exposure of Sensitive Information in telephony-common.jar prior to SMR Jul-2022 Release 1 allows local attackers to access IMSI via log.
The patch fixes incorrect implementation of logging.


SVE-2022-0677(CVE-2022-33688): Sensitive information exposure in SecTelephonyProvider

Severity: Moderate
Affected versions: Q(10), R(11), S(12)
Reported on: March 19, 2022
Disclosure status: Privately disclosed.
Sensitive information exposure vulnerability in EventType in SecTelephonyProvider prior to SMR Jul-2022 Release 1 allows local attackers with log access permission to get IMSI through device log.
The patch adds anonymization process of the data.


SVE-2022-0681(CVE-2022-33689): Possible to change preferred network type in TelephonyUI

Severity: High
Affected versions: Q(10), R(11), S(12)
Reported on: March 20, 2022
Disclosure status: Privately disclosed.
Improper access control vulnerability in TelephonyUI prior to SMR Jul-2022 Release 1 allows attackers to change preferred network type by unprotected binder call.
The patch adds proper permission check in TelephonyUI to prevent unauthorized access.


SVE-2022-0687(CVE-2022-33690): Path traversal vulnerability in Contacts Storage

Severity: Moderate
Affected versions: S(12)
Reported on: March 21, 2022
Disclosure status: Privately disclosed.
Improper input validation in Contacts Storage prior to SMR Jul-2022 Release 1 allows attacker to access arbitrary file.
The patch adds proper validation logic to prevent path traversal.


SVE-2022-0689(CVE-2022-33691): TOCTOU vulnerability in score driver

Severity: Moderate
Affected versions: Q(10), R(11), S(12) devices with Exynos 9820 chipset
Reported on: March 21, 2022
Disclosure status: Privately disclosed.
A possible race condition vulnerability in score driver prior to SMR Jul-2022 Release 1 can allow local attackers to interleave malicious operations.
The patch adds proper synchronization points to avoid all possibility of a race condition.


SVE-2022-0719(CVE-2022-33692): Exposure of IMSI through Logcat in Message App

Severity: Moderate
Affected versions: R(11), S(12)
Reported on: March 23, 2022
Disclosure status: Privately disclosed.
Exposure of sensitive information in Messaging application prior to SMR Jul-2022 Release 1 allows local attacker to access IMSI and ICCID via log.
The patch fixes improper logging.


SVE-2022-0723(CVE-2022-33693): Exposure of Sensitive Information vulnerability in CID Manager

Severity: Moderate
Affected versions: Q(10), R(11), S(12)
Reported on: March 23, 2022
Disclosure status: Privately disclosed.
Exposure of sensitive information in CID Manager prior to SMR Jul-2022 Release 1 allows local attacker to access ICCID via log.
The patch fixes improper logging.


SVE-2022-0737(CVE-2022-33694): Disclosure of Wi-Fi Connection information in CSC

Severity: Moderate
Affected versions: Q(10), R(11), S(12)
Reported on: March 25, 2022
Disclosure status: Privately disclosed.
Exposure of sensitive information in CSC application prior to SMR Jul-2022 Release 1 allows local attacker to access Wi-Fi information via unprotected intent broadcasting.
The patch adds proper permission while sending broadcast with sensitive information to prevent unauthorized access.


SVE-2022-0792(CVE-2022-33695): Use of improper permission in InputManagerService

Severity: Moderate
Affected versions: Q(10), R(11), S(12)
Reported on: March 29, 2022
Disclosure status: Privately disclosed.
Use of improper permission in InputManagerService prior to SMR Jul-2022 Release 1 allows unauthorized access to the service.
The patch modifies with proper permission.


SVE-2022-0813(CVE-2022-33696): Sensitive information exposure through logcat in Telephony

Severity: Moderate
Affected versions: S(12)
Reported on: March 31, 2022
Disclosure status: Privately disclosed.
Exposure of sensitive information in Telephony service prior to SMR Jul-2022 Release 1 allows local attacker to access IMSI and ICCID via log.
The patch fixes improper logging.


SVE-2022-0820(CVE-2022-33697): Sensitive information exposure in ImsCore

Severity: Moderate
Affected versions: Q(10), R(11), S(12)
Reported on: April 1, 2022
Disclosure status: Privately disclosed.
Sensitive information exposure vulnerability in ImsServiceSwitchBase in ImsCore prior to SMR Jul-2022 Release 1 allows local attackers with log access permission to get IMSI through device log.
The patch blocks output the data in commercial product.


SVE-2022-0821(CVE-2022-33698): ICCID leak in Telecom via logcat

Severity: Moderate
Affected versions: Q(10), R(11), S(12)
Reported on: April 1, 2022
Disclosure status: Privately disclosed.
Exposure of sensitive information in Telecom application prior to SMR Jul-2022 Release 1 allows local attackers to access ICCID via log.
The patch fixes incorrect implementation of logging.


SVE-2022-0834(CVE-2022-33699): Exposure of Sensitive Information vulnerability in getDsaSimImsi in TelephonyUI

Severity: Moderate
Affected versions: Q(10), R(11), S(12)
Reported on: April 3, 2022
Disclosure status: Privately disclosed.
Exposure of sensitive information in getDsaSimImsi in TelephonyUI prior to SMR Jul-2022 Release 1 allows local attacker to access IMSI via log.
The patch fixes improper logging.


SVE-2022-0835(CVE-2022-33700): Exposure of Sensitive Information vulnerability in putDsaSimImsi in TelephonyUI

Severity: Moderate
Affected versions: Q(10), R(11), S(12)
Reported on: April 3, 2022
Disclosure status: Privately disclosed.
Exposure of sensitive information in putDsaSimImsi in TelephonyUI prior to SMR Jul-2022 Release 1 allows local attacker to access IMSI via log.
The patch fixes improper logging.


SVE-2022-0873(CVE-2022-33701): Improper access control vulnerability in KnoxCustomManagerService

Severity: Moderate
Affected versions: Q(10), R(11), S(12)
Reported on: April 7, 2022
Disclosure status: Privately disclosed.
Improper access control vulnerability in KnoxCustomManagerService prior to SMR Jul-2022 Release 1 allows attacker to call PowerManaer.goToSleep method by sending broadcast intent.
The patch adds protect broadcast intent to prevent unauthorized application send broadcast intent.


SVE-2022-0937(CVE-2022-33702): Knoxguard lock disabled by factory reset in Keyguard

Severity: High
Affected versions: Q(10), R(11), S(12)
Reported on: April 17, 2022
Disclosure status: Privately disclosed.
Improper authorization vulnerability in Knoxguard prior to SMR Jul-2022 Release 1 allows local attacker to disable keyguard and bypass Knoxguard lock by factory reset.
The patch fixes Keyguard state to enforce Knoxguard lock after factory reset.


SVE-2022-0946(CVE-2022-33703): Arbitrary activity start in CACertificateInfo

Severity: High
Affected versions: Q(10), R(11), S(12)
Reported on: April 17, 2022
Disclosure status: Privately disclosed.
Improper validation vulnerability in CACertificateInfo prior to SMR Jul-2022 Release 1 allows attackers to launch certain activities.
The patch adds proper validation logic to prevent privilege escalation.


SVE-2022-0952(CVE-2022-33704): Arbitrary activity start in ucmRetParcelable

Severity: High
Affected versions: Q(10), R(11), S(12)
Reported on: April 18, 2022
Disclosure status: Privately disclosed.
Improper validation vulnerability in ucmRetParcelable of KnoxSDK prior to SMR Jul-2022 Release 1 allows attackers to launch certain activities.
The patch adds proper validation logic to prevent privilege escalation.


Some SVE items included in the Samsung Security Update cannot be disclosed at this time.


Acknowledgements
We truly appreciate the following researchers for helping Samsung to improve the security of our products.

Jennu.ZJN: SVE-2021-24229
Xia Guangshuai in Wuheng Lab of ByteDance: SVE-2021-24263
Sergey Toshin of Oversecured Inc: SVE-2022-0352, SVE-2022-0681, SVE-2022-0687, SVE-2022-0737
Hao Zhou and Xiapu Luo from PolyU, Haoyu Wang from HUST, Yajin Zhou from ZJU: SVE-2022-0519
Dawuge of Pangu Team: SVE-2022-0527, SVE-2022-0537, SVE-2022-0595
Aprilife : SVE-2022-0533
Zhang Qing: SVE-2022-0674,  SVE-2022-0675, SVE-2022-0677, SVE-2022-0719, SVE-2022-0723, SVE-2022-0813, SVE-2022-0820, SVE-2022-0821, SVE-2022-0834, SVE-2022-0835
Le Wu of Baidu Security: SVE-2022-0689
Dzmitry Lukyanenka: SVE-2022-0792, SVE-2022-0873
Rajesh: SVE-2022-0937
Dawn Security Lab, JDcom: SVE-2022-0946, SVE-2022-0952
Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process. This SMR package includes patches from Google and Samsung.


Google patches include patches up to Android Security Bulletin – June 2022 package. The Bulletin (June 2022) contains the following CVE items:

Critical
CVE-2021-35090,CVE-2022-20130,CVE-2022-20127,CVE-2022-20140,CVE-2022-20145

High
CVE-2022-20009,CVE-2022-20008,CVE-2022-0847,CVE-2022-20110,CVE-2022-20109,CVE-2021-35080,CVE-2021-35094,CVE-2021-35072,CVE-2021-35087,CVE-2021-35076,CVE-2021-35073,CVE-2021-35086,CVE-2021-35096,CVE-2021-35078,CVE-2021-35116,CVE-2022-22057,CVE-2022-22068,CVE-2022-22065,CVE-2022-22064,CVE-2021-39691,CVE-2022-20125,CVE-2022-20138,CVE-2022-20126,CVE-2022-20133,CVE-2022-20134,CVE-2022-20135,CVE-2022-20137,CVE-2022-20142,CVE-2022-20147,CVE-2022-20123,CVE-2022-20131,CVE-2022-20129,CVE-2022-20143,CVE-2021-39690,CVE-2021-0506,CVE-2021-39671

Moderate
CVE-2021-22600

Already included in previous updates
CVE-2022-20006

Not applicable to Samsung devices
CVE-2022-20084,CVE-2022-22072


※ Please see Android Security Bulletin for detailed information on Google patches.


Along with Google patches, Samsung Mobile provides 25 Samsung Vulnerabilities and Exposures (SVE) items described below, in order to improve our customer’s confidence on security of Samsung Mobile devices. Samsung security index (SSI), found in “Security software version”, SMR Jun-2022 Release 1 includes all patches from Samsung and Google. Some of the SVE items may not be included in this package, in case these items were already included in a previous maintenance release.


SVE-2021-23082(CVE-2022-28794): Sensitive information exposure in low battery dumpstate log

Severity: Moderate
Affected versions: Q(10), R(11), S(12)
Reported on: August 28, 2021
Disclosure status: Privately disclosed.
Sensitive information exposure in low-battery dumpstate log prior to SMR Jun-2022 Release 1 allows local attackers to get SIM card information.
The patch removes SIM card information in low-battery dumpstate log. 


SVE-2021-24033(CVE-2022-30709): Improper input validation check logic in SECRIL.

Severity: Low
Affected versions: Q(10), R(11), S(12)
Reported on: November 26, 2021
Disclosure status: Privately disclosed.
Improper input validation check logic vulnerability in SECRIL prior to SMR Jun-2022 Release 1 allows attackers to trigger crash.
The patch removes the insecure API code in SECRIL.


SVE-2022-0092(CVE-2022-30710, CVE-2022-30711, CVE-2022-30712, CVE-2022-30713): Improper validation in RemoteViews, FeedsInfo, KfaOptions and LSOItemData

Severity: High
Affected versions: Q(10), R(11), S(12)
Reported on: January 8, 2022
Disclosure status: Privately disclosed.
Improper validation vulnerability in RemoteViews, FeedsInfo, KfaOptions and LSOItemData prior to SMR Jun-2022 Release 1 allows attackers to launch certain activities.
The patch adds proper validation logic to prevent privilege escalation.


SVE-2022-0100(CVE-2022-30714): Information exposure vulnerability in SemIWCMonitor

Severity: Moderate
Affected versions: Q(10), R(11), S(12)
Reported on: January 8, 2022
Disclosure status: Privately disclosed.
Information exposure vulnerability in SemIWCMonitor prior to SMR Jun-2022 Release 1 allows local attackers to get MAC address information.
The patch removes MAC address information in SemIWCMonitor.


SVE-2022-0138(CVE-2022-30715): Improper access control vulnerability in DofViewer.

Severity: Moderate
Affected versions: Q(10), R(11), S(12)
Reported on: January 14, 2022
Disclosure status: Privately disclosed.
Improper access control vulnerability in DofViewer prior to SMR Jun-2022 Release 1 allows attackers to control floating system alert window.
The patch adds proper permission check in DofViewer to prevent unauthorized applications control.


SVE-2022-0254(CVE-2022-30716): Unprotected broadcast in DisplayToast 

Severity: Moderate
Affected versions: Q(10), R(11), S(12)
Reported on: January 30, 2022
Disclosure status: Privately disclosed.
Unprotected broadcast in sendIntentForToastDumpLog in DisplayToast prior to SMR Jun-2022 Release 1 allows untrusted applications to access toast message information from device.
The patch adds proper restriction in receiver for the broadcast message.


SVE-2022-0258(CVE-2022-30717): Improper caller check in AR Emoji

Severity: High
Affected versions: Q(10), R(11)
Reported on: January 31, 2022
Disclosure status: Privately disclosed.
Improper caller check in AR Emoji prior to SMR Jun-2022 Release 1 allows untrusted applications to use some camera functions via deeplink.
The patch removes insecure operations using deeplink.


SVE-2022-0392(CVE-2022-30719): Improper input validation check logic in libsmkvextractor

Severity: Low
Affected versions: Q(10), R(11), S(12)
Reported on: February 18,2022
Disclosure status: Privately disclosed.
Improper input validation check logic vulnerability in libsmkvextractor prior to SMR Jun-2022 Release 1 allows attackers to trigger crash.
The patch adds proper validation of the buffer length.


SVE-2022-0393(CVE-2022-30720): Improper input validation check logic in libsmkvextractor

Severity: Low
Affected versions: Q(10), R(11), S(12)
Reported on: February 18,2022
Disclosure status: Privately disclosed.
Improper input validation check logic vulnerability in libsmkvextractor prior to SMR Jun-2022 Release 1 allows attackers to trigger crash.
The patch adds proper validation of the buffer length.


SVE-2022-0412(CVE-2022-30721): Improper input validation check logic in libsmkvextractor

Severity: Low
Affected versions: Q(10), R(11), S(12)
Reported on: February 20,2022
Disclosure status: Privately disclosed.
Improper input validation check logic vulnerability in libsmkvextractor prior to SMR Jun-2022 Release 1 allows attackers to trigger crash.
The patch adds proper validation of the buffer length.


SVE-2022-0507(CVE-2022-30722): Bypass of Samsung Account confirmation via hijacking implicit intent

Severity: Moderate
Affected versions: Q(10), R(11), S(12)
Reported on: March 6, 2022
Disclosure status: Privately disclosed.
Implicit Intent hijacking vulnerability in Samsung Account prior to SMR Jun-2022 Release 1 allows attackers to bypass user confirmation of Samsung Account.
The patch changes implicit Intent to explicit Intent to prevent hijacking from unprivileged applications.


SVE-2022-0526, SVE-2022-0534, and SVE-2022-0535(CVE-2022-30723, CVE-2022-30724, CVE-2022-30725): Leak of MAC address of connected Bluetooth device

Severity: Moderate
Affected versions: Q(10), R(11), S(12)
Reported on: March 8, 2022
Disclosure status: Privately disclosed.
Broadcasting Intent including the Bluetooth Device object without proper restriction of receivers in Bluetooth prior to SMR Jun-2022 Release 1 leaks MAC address of the connected Bluetooth device.
The patch adds proper permission to prevent Bluetooth information leak.


SVE-2022-0691(CVE-2022-30726): Unprotected component vulnerability in SecSettingsIntelligence

Severity: Moderate
Affected versions: S(12)
Reported on: March 21, 2022
Disclosure status: Privately disclosed.
Unprotected component vulnerability in DeviceSearchTrampoline in SecSettingsIntelligence prior to SMR Jun-2022 Release 1 allows local attackers to launch activities of SecSettingsIntelligence.
The patch adds proper permission for using the component.


SVE-2022-0793(CVE-2022-30727): Improper handling of insufficient permissions in PersonaManagerService

Severity: Moderate
Affected versions: Q(10), R(11), S(12)
Reported on: March 29, 2022
Disclosure status: Privately disclosed.
Improper handling of insufficient permissions vulnerability in addAppPackageNameToAllowList in PersonaManagerService prior to SMR Jun-2022 Release 1 allows local attackers to set some setting value in work space.
The patch adds proper permission for using the API.


SVE-2022-1203(CVE-2022-30728): Information exposure vulnerability in ScanPool

Severity: Moderate
Affected versions: R(11), S(12)
Reported on: January 8, 2022
Disclosure status: Privately disclosed.
Information exposure vulnerability in ScanPool prior to SMR Jun-2022 Release 1 allows local attackers to get MAC address information.
The patch removes MAC address information in ScanPool. 


SVE-2022-0504(CVE-2022-30729): Hijacking of Wi-Fi SSID and password in Settings

Severity: Moderate
Affected versions: S(12)
Reported on: March 3, 2022
Disclosure status: Privately disclosed.
Implicit Intent hijacking vulnerability in Settings prior to SMR Jun-2022 Release 1 allows attackers to get Wi-Fi SSID and password via a malicious QR code scanner.
The patch changes implicit Intent to explicit Intent to prevent hijacking from unprivileged applications.


Some SVE items included in the Samsung Security Update cannot be disclosed at this time.


Acknowledgements
We truly appreciate the following researchers for helping Samsung to improve the security of our products.

Andr.Ess: SVE-2021-23082, SVE-2022-0100, SVE-2022-1203
Zhang Lei: SVE-2021-24033
Michał Bednarski: SVE-2022-0092
Jenny ZJN: SVE-2022-0254
Rahul D Kankrale: SVE-2022-0258
Kiwan Ko : SVE-2022-0392, SVE-2022-0393, SVE-2022-0412
Hao Zhou and Xiapu Luo from PolyU, Haoyu Wang from HUST, Yajin Zhou from ZJU: SVE-2022-0504, SVE-2022-0507, SVE-2022-0526, SVE-2022-0534, and SVE-2022-0535
Dawn Security Lab, JD.com : SVE-2022-0138, SVE-2022-0691
Sergey Toshin of Oversecured Inc: SVE-2022-0793
Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process. This SMR package includes patches from Google and Samsung.


Google patches include patches up to Android Security Bulletin – May 2022 package. The Bulletin (May 2022) contains the following CVE items:

Critical
CVE-2021-30339,CVE-2021-30341,CVE-2021-30347,CVE-2021-30342,CVE-2021-30343,CVE-2021-35112,CVE-2021-35081

High
CVE-2021-0707,CVE-2021-39800,CVE-2021-39801,CVE-2021-39802,CVE-2021-30350,CVE-2021-30344,CVE-2021-30340,CVE-2021-30334,CVE-2021-35130,CVE-2021-39807,CVE-2021-39662,CVE-2022-20004,CVE-2022-20005,CVE-2022-20006,CVE-2022-20007,CVE-2022-20113,CVE-2022-20114,CVE-2022-20116,CVE-2022-20010,CVE-2022-20011,CVE-2022-20115,CVE-2021-39670,CVE-2022-20112

Moderate
CVE-2021-1020,CVE-2021-1021,CVE-2021-39700

Already included in previous updates
CVE-2022-20081,CVE-2021-25477,CVE-2021-30349,CVE-2021-30281,CVE-2021-30338,CVE-2021-35091,CVE-2021-35095

Not applicable to Samsung devices
CVE-2021-35104,CVE-2021-30345,CVE-2021-30346,CVE-2021-35070,CVE-2021-35100,CVE-2021-35123


※ Please see Android Security Bulletin for detailed information on Google patches.


Along with Google patches, Samsung Mobile provides 18 Samsung Vulnerabilities and Exposures (SVE) items described below, in order to improve our customer’s confidence on security of Samsung Mobile devices. Samsung security index (SSI), found in “Security software version”, SMR May-2022 Release 1 includes all patches from Samsung and Google. Some of the SVE items may not be included in this package, in case these items were already included in a previous maintenance release.


SVE-2021-24015(CVE-2022-28780): Improper access control vulnerability in Weather

Severity: Moderate
Affected versions: Q(10), R(11), S(12)
Reported on: November 24, 2021
Disclosure status: Privately disclosed.
Improper access control vulnerability in Weather prior to SMR May-2022 Release 1 allows that attackers can access location information that set in Weather without permission.
The patch adds proper protection to prevent access to location information.


SVE-2022-0285(CVE-2022-28781): Launch arbitrary activity with system privilege

Severity: High
Affected versions: R(11), S(12)
Reported on: February 4, 2022
Disclosure status: Privately disclosed.
Improper input validation in Settings prior to SMR May-2022 Release 1 allows attackers to launch arbitrary activity with system privilege.
The patch adds proper validation logic to check the caller.


SVE-2022-0324(CVE-2022-28782): Vulnerability with access to Contents To Window

Severity: Moderate
Affected versions: Select R(11), S(12) devices
Reported on: February 9, 2022
Disclosure status: Privately disclosed.
Improper access control vulnerability in Contents To Window prior to SMR May-2022 Release 1 allows physical attacker to install package before completion of Setup wizard.
The patch blocks entry point of the vulnerability.


SVE-2022-0349(CVE-2022-28783): Ability to uninstall arbitrary apps

Severity: High
Affected versions: Q(10), R(11), S(12)
Reported on: February 13, 2022
Disclosure status: Privately disclosed.
Improper validation of removing package name in Galaxy Themes prior to SMR May-2022 Release 1 allows attackers to uninstall arbitrary packages without permission.
The patch adds proper validation logic for removing package name.


SVE-2022-0350(CVE-2022-28784): Directory listing as system user

Severity: Moderate
Affected versions: Q(10), R(11), S(12)
Reported on: February 13, 2022
Disclosure status: Privately disclosed.
Path traversal vulnerability in Galaxy Themes prior to SMR May-2022 Release 1 allows attackers to list file names in arbitrary directory as system user.
The patch addresses incorrect implementation of file path validation check logic.


SVE-2022-0390(CVE-2022-28785): Out-of-bounds read vulnerability in aviextractor library

Severity: Low
Affected versions: Q(10), R(11), S(12)
Reported on: February 18, 2022
Disclosure status: Privately disclosed.
Improper buffer size check logic in aviextractor library prior to SMR May-2022 Release 1 allows out of bounds read leading to possible temporary denial of service.
The patch adds buffer size check logic.


SVE-2022-0391(CVE-2022-28786): Out-of-bounds read vulnerability in aviextractor library

Severity: Low
Affected versions: Q(10), R(11), S(12)
Reported on: February 18, 2022
Disclosure status: Privately disclosed.
Improper buffer size check logic in aviextractor library prior to SMR May-2022 Release 1 allows out of bounds read leading to possible temporary denial of service.
The patch adds buffer size check logic.


SVE-2022-0404(CVE-2022-28787): Out-of-bounds read vulnerability in wmfextractor library

Severity: Low
Affected versions: Q(10), R(11), S(12)
Reported on: February 20, 2022
Disclosure status: Privately disclosed.
Improper buffer size check logic in wmfextractor library prior to SMR May-2022 Release 1 allows out of bounds read leading to possible temporary denial of service.
The patch adds buffer size check logic.


SVE-2022-0427(CVE-2022-28788): Out-of-bounds read vulnerability in aviextractor library

Severity: Low
Affected versions: Q(10), R(11), S(12)
Reported on: February 21, 2022
Disclosure status: Privately disclosed.
Improper buffer size check logic in aviextractor library prior to SMR May-2022 Release 1 allows out of bounds read leading to possible temporary denial of service.
The patch adds buffer size check logic.


Some SVE items included in the Samsung Security Update cannot be disclosed at this time.


Acknowledgements
We truly appreciate the following researchers for helping Samsung to improve the security of our products.

Jenny Zhang: SVE-2021-24015
Sergey Toshin of Oversecured Inc: SVE-2022-0285, SVE-2022-0349, SVE-2022-0350
SeungHyun Cho (@netkingj): SVE-2022-0324
Kiwan Ko: SVE-2022-0390, SVE-2022-0391, SVE-2022-0404, SVE-2022-0427
Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process. This SMR package includes patches from Google and Samsung.


Google patches include patches up to Android Security Bulletin – April 2022 package. The Bulletin (April 2022) contains the following CVE items:

Critical
None

High
CVE-2020-29368,CVE-2021-39685,CVE-2021-39686,CVE-2021-39698,CVE-2021-3655,CVE-2021-35088,CVE-2021-35103,CVE-2021-35105,CVE-2021-35117,CVE-2021-30328,CVE-2021-30329,CVE-2021-30332,CVE-2021-30333,CVE-2021-39694,CVE-2021-0694,CVE-2021-39794,CVE-2021-39795,CVE-2021-39796,CVE-2021-39797,CVE-2021-39798,CVE-2021-39799,CVE-2021-39803,CVE-2021-39804,CVE-2021-39808,CVE-2021-39805,CVE-2021-39809,CVE-2022-0847

Moderate
CVE-2021-1027,CVE-2021-1028,CVE-2021-1029,CVE-2021-1001,CVE-2021-1002,CVE-2021-1018,CVE-2021-0973,CVE-2021-0769,CVE-2021-0992,CVE-2021-0987,CVE-2021-1005,CVE-2021-1014,CVE-2021-1015,CVE-2021-1007,CVE-2021-1023,CVE-2021-1026,CVE-2021-1034,CVE-2021-1022

Already included in previous updates
CVE-2021-1942,CVE-2021-35110,CVE-2021-1950,CVE-2021-1009,CVE-2021-1032,CVE-2021-1011

Not applicable to Samsung devices
CVE-2022-20047,CVE-2022-20048,CVE-2022-20053,CVE-2021-35106


※ Please see Android Security Bulletin for detailed information on Google patches.


Along with Google patches, Samsung Mobile provides 33 Samsung Vulnerabilities and Exposures (SVE) items described below, in order to improve our customer’s confidence on security of Samsung Mobile devices. Samsung security index (SSI), found in “Security software version”, SMR Apr-2022 Release 1 includes all patches from Samsung and Google. Some of the SVE items may not be included in this package, in case these items were already included in a previous maintenance release.


SVE-2021-22904(CVE-2022-25831): Improper access control in S Secure

Severity: Low
Affected versions: Select Q(10), R(11), S(12) devices
Reported on: August 9, 2021
Disclosure status: Privately disclosed.
Improper access control vulnerability in S Secure prior to SMR Apr-2022 Release 1 allows physical attackers to access secured data in certain conditions.
The patch removes improper check logic.


SVE-2021-23217(CVE-2022-25832): Improper authentication vulnerability in S Secure

Severity: Moderate
Affected versions: Select R(11), S(12) devices
Reported on: September 11, 2021
Disclosure status: Privately disclosed.
Improper authentication vulnerability in S Secure prior to SMR Apr-2022 Release 1 allows physical attackers to use locked Myfiles app without authentication.
The patch adds proper validation logic to prevent to use locked Myfiles app without authentication.


SVE-2021-23296(CVE-2022-25833): Improper authentication in ImsService

Severity: Moderate
Affected versions: Q(10), R(11)
Reported on: September 19, 2021
Disclosure status: Privately disclosed.
Improper authentication in ImsService prior to SMR Apr-2022 Release 1 allows attackers to get IMSI without READ_PRIVILEGED_PHONE_STATE permission.
The patch fixes improper permission check logic.


SVE-2021-23602(CVE-2022-26090): Improper access control in Samsung Contacts

Severity: Moderate
Affected versions: Q(10), R(11)
Reported on: October 16, 2021
Disclosure status: Privately disclosed.
Improper access control vulnerability in Samsung Contacts prior to SMR Apr-2022 Release 1 allows that attackers can access contact information without permission.
The patch adds proper intent flag to prevent access to contact information.


SVE-2021-23949(CVE-2022-26091): Improper access control in Knox Manage

Severity: Moderate
Affected versions: Q(10), R(11), S(12)
Reported on: November 17, 2021
Disclosure status: Privately disclosed.
Improper access control vulnerability in Knox Manage prior to SMR Apr-2022 Release 1 allows that physical attackers can bypass Knox Manage using a function key of hardware keyboard.
The patch prevents use of a certain function key on Knox Manage login page.


SVE-2021-23951(CVE-2022-26092): Improper boundary check in Quram Agif library 

Severity: High
Affected versions: Q(10), R(11), S(12)
Reported on: November 17, 2021
Disclosure status: Privately disclosed.
Improper boundary check in Quram Agif library prior to SMR Apr-2022 Release 1 allows arbitrary code execution.
The patch adds proper validation logic to prevent arbitrary memory write.


SVE-2021-24106(CVE-2022-26093, CVE-2022-26094, CVE-2022-26095, CVE-2022-26096, CVE-2022-26097): Null pointer dereference in libsimba library

Severity: Moderate
Affected versions: Q(10), R(11), S(12)
Reported on: December 1, 2021
Disclosure status: Privately disclosed.
Null pointer dereference vulnerability in some parser functions of libsimba library prior to SMR Apr-2022 Release 1 allows out of bounds write by remote attackers.
The patch adds the proper validation of input data.


SVE-2021-24107(CVE-2022-26098): Heap-based buffer overflow vulnerability in sheifd_create function in libsimba library 

Severity: Critical
Affected versions: Q(10), R(11), S(12)
Reported on: December 1, 2021
Disclosure status: Privately disclosed.
Heap-based buffer overflow vulnerability in sheifd_create function of libsimba library prior to SMR Apr-2022 Release 1 allows code execution by remote attackers.
The patch adds the proper validation of input data.


SVE-2021-24108(CVE-2022-26099): Null pointer dereference vulnerability in parser_infe function in libsimba library

Severity: Moderate
Affected versions: Q(10), R(11), S(12)
Reported on: December 1, 2021
Disclosure status: Privately disclosed.
Null pointer dereference vulnerability in parser_infe function of libsimba library prior to SMR Apr-2022 Release 1 allows out of bounds read by remote attackers.
The patch adds the proper validation of input data.


SVE-2021-24109(CVE-2022-27567): Null pointer dereference vulnerability in parser_hvcC function in libsimba library

Severity: Moderate
Affected versions: Q(10), R(11), S(12)
Reported on: December 1, 2021
Disclosure status: Privately disclosed.
Null pointer dereference vulnerability in parser_hvcC function of libsimba library prior to SMR Apr-2022 Release 1 allows out of bounds write by remote attackers.
The patch adds the proper validation of input data.


SVE-2021-24110(CVE-2022-27568, CVE-2022-27569, CVE-2022-27570, CVE-2022-27571): Heap-based buffer overflow vulnerability in some parser functions and sheifd_get_info_image fuction in libsimba library

Severity: Critical
Affected versions: Q(10), R(11), S(12)
Reported on: December 1, 2021
Disclosure status: Privately disclosed.
Heap-based buffer overflow vulnerability in some parser functions and sheifd_get_info_image fuction of libsimba library prior to SMR Apr-2022 Release 1 allows code execution by remote attackers.
The patch adds the proper validation of input data.


SVE-2021-24224(CVE-2022-27572): Heap-based buffer overflow vulnerability in parser_ipma function in libsimba

Severity: Critical
Affected versions: Q(10), R(11), S(12)
Reported on: December 10, 2021
Disclosure status: Privately disclosed.
Heap-based buffer overflow vulnerability in parser_ipma function of libsimba library prior to SMR Apr-2022 Release 1 allows code execution by remote attackers.
The patch adds the proper validation of input data.


SVE-2021-24225(CVE-2022-27573): Improper input validation vulnerability parser_infe and sheifd_find_itemIndexin fuction libsimba library

Severity: Low
Affected versions: Q(10), R(11), S(12)
Reported on: December 10, 2021
Disclosure status: Privately disclosed.
Improper input validation vulnerability in parser_infe and sheifd_find_itemIndexin fuctions of libsimba library prior to SMR Apr-2022 Release 1 allows out of bounds write by privileged attackers.
The patch adds the proper validation of input data.


SVE-2021-24226(CVE-2022-27574): Improper input validation vulnerability parser_iloc and sheifd_find_itemIndexin fuction libsimba library

Severity: Low
Affected versions: Q(10), R(11), S(12)
Reported on: December 10, 2021
Disclosure status: Privately disclosed.
Improper input validation vulnerability in parser_iloc and sheifd_find_itemIndexin fuctions of libsimba library prior to SMR Apr-2022 Release 1 allows out of bounds write by privileged attacker.
The patch adds the proper validation of input data.


SVE-2021-24352(CVE-2022-27575, CVE-2022-27575): Information exposure vulnerability in One UI Home, Samsung DeX Home

Severity: Moderate
Affected versions: Q(10), R(11), S(12)
Reported on: December 21, 2021
Disclosure status: Privately disclosed.
Information exposure vulnerability in One UI Home and Samsung DeX Home prior to SMR April-2022 Release 1 allows access to currently launched foreground app information without permission.
The patch adds proper protection to prevent access to foreground app information.


SVE-2021-24382(CVE-2022-27821): Improper boundary check in Quram Agif library

Severity: Low
Affected versions: Q(10), R(11), S(12)
Reported on: December 24, 2021
Disclosure status: Privately disclosed.
Improper boundary check in Quram Agif library prior to SMR Apr-2022 Release 1 allows attackers to cause denial of service via crafted image file.
The patch adds proper validation logic to prevent out-of-bounds read.


SVE-2021-24421(CVE-2022-27822): Information exposure vulnerability in ril property setting

Severity: High
Affected versions: Q(10), R(11), S(12)
Reported on: December 31, 2021
Disclosure status: Privately disclosed.
Information exposure vulnerability in ril property setting prior to SMR April-2022 Release 1 allows access to EF_RUIMID value without permission.
The patch removes the property.


SVE-2022-0006(CVE-2022-27823): Improper size check in sapefd_parse_meta_HEADER_old function of libsapeextractor library

Severity: Low
Affected versions: Q(10), R(11), S(12)
Reported on: January 22, 2022
Disclosure status: Privately disclosed.
Improper size check in sapefd_parse_meta_HEADER_old function of libsapeextractor library prior to SMR Apr-2022 Release 1 allows out of bounds read via a crafted media file.
The patch adds the proper validation of the buffer length.


SVE-2022-0007(CVE-2022-27824): Improper size check of in sapefd_parse_meta_DESCRIPTION function of libsapeextractor library

Severity: Low
Affected versions: Q(10), R(11), S(12)
Reported on: January 22, 2022
Disclosure status: Privately disclosed.
Improper size check of in sapefd_parse_meta_DESCRIPTION function of libsapeextractor library prior to SMR Apr-2022 Release 1 allows out of bounds read via a crafted media file
The patch adds the proper validation of the buffer length.th


SVE-2022-0008(CVE-2022-27825): Improper size check in sapefd_parse_meta_HEADER function of libsapeextractor library

Severity: Low
Affected versions: Q(10), R(11), S(12)
Reported on: January 22, 2022
Disclosure status: Privately disclosed.
Improper size check in sapefd_parse_meta_HEADER function of libsapeextractor library prior to SMR Apr-2022 Release 1 allows out of bounds read via a crafted media file.
The patch adds the proper validation of the buffer length.


SVE-2022-0011(CVE-2022-27826, CVE-2022-27827, CVE-2022-27828, CVE-2022-27829, CVE-2022-27830): Improper validation vulnerability in SemSuspendDialogInfo, MediaMonitorDimension, MediaMonitorEvent, VerifyCredentialResponse, and SemBlurInfo

Severity: High
Affected versions: Q(10), R(11), S(12)
Reported on: January 2, 2022
Disclosure status: Privately disclosed.
Improper validation vulnerability in SemSuspendDialogInfo, MediaMonitorDimension, MediaMonitorEvent, VerifyCredentialResponse, and SemBlurInfo prior to SMR Apr-2022 Release 1 allows attackers to launch certain activities.
The patch adds proper validation logic to prevent privilege escalation.


SVE-2022-0021(CVE-2022-27831): Out-of-bounds read vulnerability in sflvd_rdbuf_bits of libsflvextractor

Severity: Low
Affected versions: Q(10), R(11), S(12)
Reported on: January 4, 2022
Disclosure status: Privately disclosed.
An improper boundary check in sflvd_rdbuf_bits of libsflvextractor prior to SMR Apr-2022 Release 1 allows attackers to read out of bounds memory.
The patch adds proper boundary check to prevent out of bounds read.


SVE-2022-0022(CVE-2022-27832): Improper boundary check in media.extractor library

Severity: Low
Affected versions: Q(10), R(11), S(12)
Reported on: January 4, 2022
Disclosure status: Privately disclosed.
Improper boundary check in media.extractor library prior to SMR Apr-2022 Release 1 allows attackers to cause denial of service via a crafted media file.
The patch adds proper boundary check logic to prevent out of bounds read.


SVE-2022-0085(CVE-2022-27833): Improper input validation in DSP driver

Severity: Moderate
Affected versions: Q(10), R(11), S(12) devices with Exynos 2100, 9830, 980 chipsets
Reported on: January 7, 2022
Disclosure status: Privately disclosed.
Improper input validation in DSP driver prior to SMR Apr-2022 Release 1 allows out-of-bounds write by integer overflow.
The patch adds proper validation logic to prevent integer overflow.


SVE-2022-0107(CVE-2022-27834): Use after free vulnerability in dsp_context_unload_graph function of DSP driver

Severity: Moderate
Affected versions: Q(10), R(11), S(12) devices with Exynos 2100, 9830, 980 chipsets
Reported on: January 10, 2022
Disclosure status: Privately disclosed.
Use after free vulnerability in dsp_context_unload_graph function of DSP driver prior to SMR Apr-2022 Release 1 allows attackers to perform malicious actions.
The patch adds proper mutual exclusion check logic to prevent use after free.


SVE-2022-0136(CVE-2022-27835): Improper boundary check in UWB firmware

Severity: High
Affected versions: S(12)
Reported on: January 13, 2022
Disclosure status: Privately disclosed.
Improper boundary check in UWB firmware prior to SMR Apr-2022 Release 1 allows arbitrary memory write.
The patch adds proper boundary check logic to prevent arbitrary memory write.


SVE-2022-0137(CVE-2022-27836): Improper access control and path traversal vulnerability in Storage Manager and Storage Manager Service

Severity: High
Affected versions: S(12)
Reported on: January 13, 2022
Disclosure status: Privately disclosed.
Improper access control and path traversal vulnerability in Storage Manager and Storage Manager Service prior to SMR Apr-2022 Release 1 allow local attackers to access arbitrary system files without a proper permission.
The patch adds proper validation logic to prevent arbitrary files access.


Some SVE items included in the Samsung Android Security Update cannot be disclosed at this time.


Acknowledgements
We truly appreciate the following researchers for helping Samsung to improve the security of our products.

KRISHAN KUMAR : SVE-2021-22904
Harsh Tyagi : SVE-2021-23217
Xia Guangshuai: SVE-2021-23296, SVE-2022-0137
h0rd7: SVE-2021-23602
Elias Schröder: SVE-2021-23949
mart1n and zraxx , both from school of cyber science and technology from Zhejiang University : SVE-2021-23951, SVE-2021-24382
Dawuge of Pangu Team: SVE-2021-24106, SVE-2021-24107, SVE-2021-24108, SVE-2021-24109, SVE-2021-24110, SVE-2021-24224, SVE-2021-24225, SVE-2021-24226
Hao Zhou, Xiapu Luo from PolyU, Haoyu Wang from BUPT, and Yajin Zhou from ZJU: SVE-2021-24352
Qing Zhang: SVE-2021-24421
Kiwan Ko of STEALIEN: SVE-2022-0006, SVE-2022-0007, SVE-2022-0008, SVE-2022-0021, SVE-2022-0022
Michał Bednarski: SVE-2022-0011
Seonung Jang(@IFdLRx4At1WFm74) of DataFlow Security(@dfsec_com): SVE-2022-0085, SVE-2022-0107
Martin Heyden: SVE-2022-0136
Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process. This SMR package includes patches from Google and Samsung.


Google patches include patches up to Android Security Bulletin – March 2022 package. The Bulletin (March 2022) contains the following CVE items:

Critical
CVE-2021-30317, CVE-2021-39708

High
CVE-2021-35068,CVE-2021-35077,CVE-2021-35074,CVE-2021-35075,CVE-2021-30323,CVE-2021-30309,CVE-2021-30326,CVE-2021-30322,CVE-2021-30318,CVE-2021-35069,CVE-2021-39692,CVE-2021-39693,CVE-2021-39695,CVE-2021-39697,CVE-2021-39624,CVE-2021-39690,CVE-2021-39667,CVE-2021-0957,CVE-2021-39701,CVE-2021-39702,CVE-2021-39703,CVE-2021-39704,CVE-2021-39706,CVE-2021-39707,CVE-2021-39709,CVE-2021-32484,CVE-2021-32485,CVE-2021-32486,CVE-2021-32487

Moderate
CVE-2021-1024,CVE-2021-0978,CVE-2021-0983,CVE-2021-0988,CVE-2021-1013,CVE-2021-1030,CVE-2021-1031,CVE-2021-1003,CVE-2021-0998,CVE-2021-1016,CVE-2021-0989,CVE-2021-0990,CVE-2021-0991,CVE-2021-0994,CVE-2021-0996,CVE-2021-1012,CVE-2021-1025,CVE-2021-1008,CVE-2021-39689

Already included in previous updates
: None

Not applicable to Samsung devices
: CVE-2022-20025,CVE-2022-20027,CVE-2022-20028,CVE-2022-20026,CVE-2021-39672,CVE-2021-39635,CVE-2021-39658,CVE-2021-39616,CVE-2022-20024,CVE-2021-39631,CVE-2021-39699,CVE-2021-39705


※ Please see Android Security Bulletin for detailed information on Google patches.


Along with Google patches, Samsung Mobile provides 17 Samsung Vulnerabilities and Exposures (SVE) items described below, in order to improve our customer’s confidence on security of Samsung Mobile devices. Samsung security index (SSI), found in “Security software version”, SMR Mar-2022 Release 1 includes all patches from Samsung and Google. Some of the SVE items may not be included in this package, in case these items were already included in a previous maintenance release.


SVE-2021-22380(CVE-2022-24928): Security misconfiguration of RKP in some devices

Severity: High
Affected versions: Selected R(11) devices
Reported on: June 30, 2021
Disclosure status: Privately disclosed.
Security misconfiguration of RKP in kernel prior to SMR Mar-2022 Release 1 allows a system not to be protected by RKP.
The patch enables the flag for RKP protection.


SVE-2021-23162(CVE-2022-24929): Change the list of locked app without authentication in AppLock.

Severity: Moderate
Affected versions: Q(10), R(11), S(12)
Reported on: September 6, 2021
Disclosure status: Privately disclosed.
Unprotected Activity in AppLock prior to SMR Mar-2022 Release 1 allows attacker to change the list of locked app without authentication.
The patch protects the activity by setting exported to false.


SVE-2021-23570(CVE-2022-24930): Improper access control vulnerability in StRetailModeReceiver

Severity: Moderate
Affected versions: Wear OS 3.0
Reported on: October 12, 2021
Disclosure status: Privately disclosed.
Improper access control vulnerability in StRetailModeReceiver in Wear OS 3.0 prior to SMR MAR-2022 Release allows untrusted applications to reset default app settings without a proper permission
The patch adds proper protection to prevent unintended access by unauthorized applications


SVE-2021-23580(CVE-2022-24931): Improper access control vulnerability in ApkInstaller

Severity: High
Affected versions: Q(10), R(11)
Reported on: October 13, 2021
Disclosure status: Privately disclosed.
Improper access control vulnerability in dynamic receiver in ApkInstaller prior to SMR MAR-2022 Release allows unauthorized attackers to execute arbitrary activity without a proper permission
The patch removes logic to execute activity in unauthorized app.


SVE-2021-23591(CVE-2022-24932): Improper Protection of Alternate Path vulnerability in Setup wizard process

Severity: Moderate
Affected versions: Q(10), R(11), S(12) and Samsung Cloud prior to 5.1.0.8
Reported on: October 14, 2021
Disclosure status: Privately disclosed.
Improper protection of alternate path in Setup wizard process prior to SMR Mar-2022 Release 1 allows physical attacker install package before completion of Setup wizard.
The patch address to block entry point of the vulnerability.


SVE-2021-23609(CVE-2022-25814): PendingIntent hijacking vulnerability in Wearable Manager Installer

Severity: High
Affected versions: R(11), S(12)
Reported on: October 17, 2021
Disclosure status: Privately disclosed.
PendingIntent hijacking vulnerability in Wearable Manager Installer prior to SMR Mar-2022 Release 1 allows local attackers to perform unauthorized action without permission via hijacking the PendingIntent.
The patch addresses the Intent in Wearable Manager Installer to prevent unprivileged access.


SVE-2021-23642(CVE-2022-25815): PendingIntent hijacking vulnerability in Weather application

Severity: Moderate
Affected versions: Q(10), R(11)
Reported on: October 20, 2021
Disclosure status: Privately disclosed.
PendingIntent hijacking vulnerability in Weather application prior to SMR Mar-2022 Release 1 allows local attackers to perform unauthorized action without permission via hijacking the PendingIntent.
The patch addresses the Intent in Weather application to prevent unprivileged access.


SVE-2021-23866(CVE-2022-25816): Improper authentication in Samsung Lock and mask apps setting

Severity: Moderate
Affected versions: Q(10), R(11), S(12)
Reported on: November 7, 2021
Disclosure status: Privately disclosed.
Improper authentication in Samsung Lock and mask apps setting prior to SMR Mar-2022 Release 1 allows attacker to change enable/disable configuration without authentication.
The patch adds proper protection to prevent change of enable/disable feature without authentication


SVE-2021-24036(CVE-2022-25817): Improper authentication in One UI Home

Severity: Moderate
Affected versions: Q(10), R(11)
Reported on: November 26, 2021
Disclosure status: Privately disclosed.
Improper authentication in One UI Home prior to SMR Mar-2022 Release 1 allows attacker to generate pinned-shortcut without user consent.
The patch protects the activity by setting exported to false.


SVE-2021-24090(CVE-2022-25818): Improper boundary check in UWB stack

Severity: High
Affected versions: S(12)
Reported on: November 30, 2021
Disclosure status: Privately disclosed.
Improper boundary check in UWB stack prior to SMR Mar-2022 Release 1 allows arbitrary code execution.
The patch adds proper validation logic to prevent arbitrary memory write.


SVE-2021-24247(CVE-2022-25819): OOB read vulnerability in hdcp2 device node

Severity: Low
Affected versions: Selected Q(10), R(11), S(12) Exynos devices
Reported on: December 12, 2021
Disclosure status: Privately disclosed.
Out-of-Bound (OOB) read vulnerability in hdcp2 device node prior to SMR Mar-2022 Release 1 allows an attacker to have limited access to non-initialized Kernel stack memory.
The patch adds proper boundary check to prevent out-of-bounds memory read.


SVE-2021-24283(CVE-2022-25820): Vulnerable design in fingerprint matching algorithm

Severity: Moderate
Affected versions: Select R(11), S(12) devices
Reported on: December 15, 2021
Disclosure status: Privately disclosed.
Vulnerable design in fingerprint matching algorithm prior to SMR Mar-2022 Release 1 allows physical attackers to perform brute force attack on screen lock password.
The patch redesigns failure count algorithm to prevent brute force attack.


SVE-2021-24307(CVE-2022-25821): Improper use of SMS buffer pointer in Shannon baseband

Severity: Low
Affected versions: Q(10), R(11), S(12) devices with Exynos CP chipsets
Reported on: December 17, 2021
Disclosure status: Privately disclosed.
Improper use of SMS buffer pointer in Shannon baseband prior to SMR Mar-2022 Release 1 allows OOB read.
The patch addressed the issue.


SVE-2021-24397(CVE-2022-25822): Use after free vulnerability in sdp driver

Severity: Moderate
Affected versions: Select Q(10), R(11), S(12) devices with Exynos and Qualcomm chipsets
Reported on: December 27, 2021
Disclosure status: Privately disclosed.
Use after free vulnerability in sdp driver prior to SMR Mar-2022 Release 1 allows deadlock to result in kernel crash.
The patch added additional locking to prevent deadlock

Some SVE items included in the Samsung Android Security Update cannot be disclosed at this time.


Acknowledgements
We truly appreciate the following researchers for helping Samsung to improve the security of our products.

leafish: SVE-2021-22380
Harsh Tyagi: SVE-2021-23162, SVE-2021-23866
Yu-Cheng Lin: SVE-2021-23570
Dawn Security Lab, JD.com: SVE-2021-23580
SeungHyun Cho (@netkingj): SVE-2021-23591
h0rd7: SVE-2021-23609, SVE-2021-23642
TerrorBlade: SVE-2021-24036
Martin Heyden: SVE-2021-24090
Kiwan Ko of STEALIEN: SVE-2021-24247
alohachen: SVE-2021-24283
Nevv and Vang3lis @VARAS: SVE-2021-24307
Seonung Jang of STEALIEN: SVE-2021-24397
Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process. This SMR package includes patches from Google and Samsung.


Google patches include patches up to Android Security Bulletin – February 2022 package. The Bulletin (February 2022) contains the following CVE items:

Critical
CVE-2021-30285, CVE-2021-39675

High
CVE-2021-30353, CVE-2021-39633, CVE-2021-30301, CVE-2021-30287, CVE-2021-30311, CVE-2021-30308, CVE-2021-30307, CVE-2021-30300, CVE-2021-31346, CVE-2021-31889, CVE-2021-31890, CVE-2021-31345, CVE-2021-40148, CVE-2021-0959, CVE-2021-39619, CVE-2021-39663, CVE-2021-39676, CVE-2021-39664, CVE-2020-13112, CVE-2020-13113, CVE-2021-39665, CVE-2021-39666, CVE-2021-39668, CVE-2021-39669, CVE-2021-39671, CVE-2021-39674, CVE-2021-41990, CVE-2021-41991

Moderate
CVE-2021-0981, CVE-2021-0984, CVE-2021-0979, CVE-2021-0982, CVE-2021-0986, CVE-2021-0993, CVE-2021-0976, CVE-2021-0977, CVE-2021-0999, CVE-2021-1017, CVE-2021-0997, CVE-2021-1006, CVE-2021-1004, CVE-2021-0995, CVE-2021-0922

Already included in previous updates
: CVE-2021-39634, CVE-2021-1049, CVE-2021-30319, CVE-2021-0706, CVE-2021-1010

Not applicable to Samsung devices
: None


※ Please see Android Security Bulletin for detailed information on Google patches.


Along with Google patches, Samsung Mobile provides 19 Samsung Vulnerabilities and Exposures (SVE) items described below, in order to improve our customer’s confidence on security of Samsung Mobile devices. Samsung security index (SSI), found in “Security software version”, SMR Feb-2022 Release 1 includes all patches from Samsung and Google. Some of the SVE items may not be included in this package, in case these items were already included in a previous maintenance release.


SVE-2021-23613 (CVE-2022-23427, CVE-2022-23999, CVE-2022-24000): PendingIntent hijacking vulnerability in SettingsReceiver

Severity: Moderate
Affected versions: Q(10), R(11), S(12)
Reported on: October 17, 2021
Disclosure status: Privately disclosed.
PendingIntent hijacking vulnerability in SettingsReceiver prior to SMR Feb-2022 Release 1 allows local attackers to access media files without permission via implicit Intent.
The patch addresses the Intent in SettingsReceiver to prevent unprivileged access.


SVE-2021-23598 (CVE-2022-23426, CVE-2022-27837): PendingIntent hijacking vulnerability in DeX Home, DeX for PC and Accessibility

Severity: High
Affected versions: Q(10), R(11), Accessibility prior to 12.5.3.2 in Android R(11.0) and 13.0.1.1 in Android S(12.0)
Reported on: October 15, 2021
Disclosure status: Privately disclosed
A vulnerability using PendingIntent in DeX Home and DeX for PC prior to SMR Feb-2022 Release 1 and Accessibility prior to 12.5.3.2 in Android R(11.0) and 13.0.1.1 in Android S(12.0) allows attackers to access files with system privilege.
The patch addresses the Intent in DeX Home, DeX for PC and Accessibility to prevent unprivileged access.


SVE-2021-23582 (CVE-2022-23425): LTE NAS Authentication Bypass

Severity: Critical
Affected versions: Q(10), R(11), S(12) with select Exynos devices
Reported on: November 26, 2021
Disclosure status: Privately disclosed.
Improper input validation in Exynos baseband prior to SMR Feb-2022 Release 1 allows attackers to send arbitrary NAS signaling messages with fake base station.
The patch fixes the logic that parse the NAS signaling messages.


SVE-2021-24038 (CVE-2022-22292): Arbitrary activity start in Telecom

Severity: High
Affected versions: Q(10), R(11), S(12)
Reported on: November 27, 2021
Disclosure status: Privately disclosed.
Unprotected dynamic receiver in Telecom prior to SMR Feb-2022 Release 1 allows untrusted applications to launch arbitrary activity.
The patch adds a proper permission for dynamic receiver.


SVE-2021-23585 (CVE-2022-22291): Logging of excessive data vulnerability in telephony

Severity: Moderate
Affected versions: Q(10), R(11), S(12)
Reported on: October 13, 2021
Disclosure status: Privately disclosed.
Logging of excessive data vulnerability in telephony prior to SMR Feb-2022 Release 1 allows privileged attackers to get Cell Location Information through log of user device.
The patch prevents Cell Location Information from being logged on the commercial binary.


SVE-2021-23987 (CVE-2022-23428): Arbitrary memory write vulnerability in eden_runtime hal service

Severity: High
Affected versions: Q(10), R(11), S(12) devices with selected Exynos chipsets
Reported on: November 21, 2021
Disclosure status: Privately disclosed
An improper boundary check in eden_runtime hal service prior to SMR Feb-2022 Release 1 allows arbitrary memory write and code execution.
The patch adds proper validation logic to prevent arbitrary memory write.


SVE-2021-24076 (CVE-2022-23429): Invalid memory read vulnerability in audio hal service

Severity: Low
Affected versions: Q(10), R(11), S(12)
Reported on: November 21, 2021
Disclosure status: Privately disclosed
An improper boundary check in audio hal service prior to SMR Feb-2022 Release 1 allows attackers to read invalid memory and it leads to application crash.
The patch adds proper validation logic to prevent invalid memory read.


SVE-2021-23643 (CVE-2022-23431): Global buffer overflow in RPMB ldfw

Severity: Critical
Affected versions: Q(10), R(11), S(12) devices with selected Exynos chipsets
Reported on: October 20, 2021
Disclosure status: Privately disclosed
An improper boundary check in RPMB ldfw prior to SMR Feb-2022 Release 1 allows arbitrary memory write and code execution.
The patch adds proper validation logic to prevent arbitrary memory write.


SVE-2021-23584 (CVE-2022-23432): Unchecked IRQ index in RPMB ldfw

Severity: Critical
Affected versions: Q(10), R(11), S(12) devices with selected Exynos chipsets
Reported on: October 13, 2021
Disclosure status: Privately disclosed
An improper input validation in SMC_SRPMB_WSM handler of RPMB ldfw prior to SMR Feb-2022 Release 1 allows arbitrary memory write and code execution.
The patch adds proper validation logic to prevent arbitrary memory write.


SVE-2021-23572(CVE-2022-23995): Unprotected component vulnerability in StBedtimeModeAlarmReceiver

Severity: Moderate
Affected versions: Wear OS 3.0
Reported on: October 12, 2021
Disclosure status: Privately disclosed.
Unprotected component vulnerability in StBedtimeModeAlarmReceiver in Wear OS 3.0 prior to Firmware update Feb-2022 Release allows untrusted applications to change bedtime mode without a proper permission.
The patch adds proper protection to prevent unintended access by unauthorized applications.


SVE-2021-23573(CVE-2022-23996): Unprotected component vulnerability in StTheaterModeReceiver

Severity: Moderate
Affected versions: Wear OS 3.0
Reported on: October 12, 2021
Disclosure status: Privately disclosed.
Unprotected component vulnerability in StTheaterModeReceiver in Wear OS 3.0 prior to Firmware update Feb-2022 Release allows untrusted applications to enable bedtime mode without a proper permission.
The patch adds proper protection to prevent unintended access by unauthorized applications


SVE-2021-23571(CVE-2022-23994): Improper access control vulnerability in StBedtimeModeReceiver

Severity: Moderate
Affected versions: Wear OS 3.0
Reported on: October 12,2021
Disclosure status: Privately disclosed
Improper access control vulnerability in StBedtimeModeReceiver in Wear OS 3.0 prior to Firmware update Feb-2022 Release allows untrusted applications to change bedtime mode without a proper permission.
The patch adds proper permission check in StBedtimeModeReceiver to prevent unauthorized applications change bedtime mode.


SVE-2021-23578(CVE-2022-23997): Unprotected component vulnerability in StTheaterModeDurationAlarmReceiver

Severity: Moderate
Affected versions: Wear OS 3.0
Reported on: October 13, 2021
Disclosure status: Privately disclosed.
Unprotected component vulnerability in StTheaterModeDurationAlarmReceiver in Wear OS 3.0 prior to Firmware update Feb-2022 Release allows untrusted applications to disable theater mode without a proper permission.
The patch adds proper protection to prevent unintended access by unauthorized applications

Some SVE items included in the Samsung Android Security Update cannot be disclosed at this time.


Acknowledgements
We truly appreciate the following researchers for helping Samsung to improve the security of our products.

h0rd7: SVE-2021-23613, SVE-2021-23598
Eunsoo Kim of KAIST, CheolJun Park of KAIST: SVE-2021-23582
Ryan Johnson of Kryptowire: SVE-2021-24038
Rahul Kankrale: SVE-2021-23585
tomz: SVE-2021-23987, SVE-2021-24076
Federico Menarini and Martijn Bogaard of Riscure: SVE-2021-23643, SVE-2021-23584
Yu-Cheng Lin: SVE-2021-23571, SVE-2021-23572, SVE-2021-23573, SVE-2021-23578
Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process. This SMR package includes patches from Google and Samsung.


Google patches include patches up to Android Security Bulletin – January 2022 package. The Bulletin (January 2022) contains the following CVE items:

Critical
CVE-2021-30275, CVE-2021-30276

High
CVE-2021-30270, CVE-2021-30279, CVE-2021-30278, CVE-2021-30269, CVE-2021-30283, CVE-2021-1918, CVE-2021-30274, CVE-2021-30272, CVE-2021-30282, CVE-2021-30271, CVE-2021-1894, CVE-2020-11263, CVE-2021-33909, CVE-2021-30337, CVE-2021-30335, CVE-2021-30262, CVE-2021-30267, CVE-2021-30293, CVE-2021-30273, CVE-2021-30289, CVE-2021-30268, CVE-2021-30336, CVE-2021-30303, CVE-2020-0368, CVE-2021-0971, CVE-2021-39630, CVE-2021-39632, CVE-2020-0338, CVE-2021-39623, CVE-2021-39620, CVE-2021-39626, CVE-2021-39629, CVE-2021-0643, CVE-2021-39628, CVE-2021-39659

Moderate
CVE-2021-0961, CVE-2021-0661, CVE-2021-0662, CVE-2021-0663, CVE-2021-0673

Already included in previous updates
: None

Not applicable to Samsung devices
CVE-2021-30351, CVE-2021-0675, CVE-2021-0904, CVE-2021-38204, CVE-2021-39618, CVE-2021-39621, CVE-2021-39622, CVE-2021-39625, CVE-2021-39627


※ Please see Android Security Bulletin for detailed information on Google patches.


Along with Google patches, Samsung Mobile provides 19 Samsung Vulnerabilities and Exposures (SVE) items described below, in order to improve our customer’s confidence on security of Samsung Mobile devices. Samsung security index (SSI), found in “Security software version”, SMR Jan-2022 Release 1 includes all patches from Samsung and Google. Some of the SVE items may not be included in this package, in case these items were already included in a previous maintenance release.


SVE-2021-23353 (CVE-2022-22263): Arbitrary activity start in SecSettings

Severity: Moderate
Affected versions: Select R(11.0) devices
Reported on: September 24, 2021
Disclosure status: Privately disclosed.
Unprotected dynamic receiver in SecSettings prior to SMR Jan-2022 Release 1 allows untrusted applications to launch arbitrary activity.
The patch adds a proper permission for dynamic receiver.


SVE-2021-23054 (CVE-2022-22264): Arbitrary file access vulnerability in Dressroom

Severity: High
Affected versions: Q(10.0), R(11.0), S(12.0)
Reported on: August 25, 2021
Disclosure status: Privately disclosed.
Improper sanitization of incoming intent in Dressroom prior to SMR Jan-2022 Release 1 allows local attackers to read and write arbitrary files without permission.
The patch sanitizes incoming Intent before using it.


SVE-2021-23365 (CVE-2022-22265): Use-After-Free bug in NPU driver

Severity: Moderate
Affected versions: P(9.0), Q(10.0), R(11.0), S(12.0) devices with selected Exynos chipsets
Reported on: September 25, 2021
Disclosure status: Privately disclosed.
An improper check or handling of exceptional conditions in NPU driver prior to SMR Jan-2022 Release 1 allows arbitrary memory write and code execution.
The patch adds proper check of exceptional conditions logic to prevent Use-After-Free.


SVE-2021-23023 (CVE-2022-22266): Wifi scan result leak via the exported TencentWifiSecurity service

Severity: Moderate
Affected versions: P(9.0), Q(10.0), R(11.0)
Reported on: August 20, 2021
Disclosure status: Privately disclosed.
(Applicable to China models only) Unprotected WifiEvaluationService in TencentWifiSecurity application prior to SMR Jan-2022 Release 1 allows untrusted applications to get WiFi information without proper permission.
The patch adds proper protection to prevent unintended access by other applications.


SVE-2021-23088 (CVE-2022-22267): Implicit Intent hijacking in ActivityMetricsLogger

Severity: Moderate
Affected versions: P(9.0), Q(10.0), R(11.0), S(12.0)
Reported on: August 29, 2021
Disclosure status: Privately disclosed.
Implicit Intent hijacking vulnerability in ActivityMetricsLogger prior to SMR Jan-2022 Release 1 allows attackers to get running application information.
The patch changes implicit Intent to explicit Intent to prevent unprivileged access to running application information.


SVE-2021-23254 (CVE-2022-22268): Temporary bypass of Knox Guard via Samsung DeX

Severity: High
Affected versions: P(9.0), Q(10.0), R(11.0), S(12.0)
Reported on: September 14, 2021
Disclosure status: Privately disclosed.
Incorrect implementation of Knox Guard prior to SMR Jan-2022 Release 1 allows physically proximate attackers to temporary unlock the Knox Guard via Samsung DeX mode.
The patch blocks Samsung DeX mode when KnoxGuard locked.


SVE-2021-23364 (CVE-2022-22269): Local Bluetooth MAC address leak

Severity: Moderate
Affected versions: P(9.0), Q(10.0), R(11.0)
Reported on: September 25, 2021
Disclosure status: Privately disclosed.
Keeping sensitive data in unprotected BluetoothSettingsProvider prior to SMR Jan-2022 Release 1 allows untrusted applications to get a local Bluetooth MAC address.
The patch removes a local Bluetooth MAC address from the unprotected provider.


SVE-2021-23422 (CVE-2022-22270): Contacts information leak via hijacking implicit intent

Severity: Moderate
Affected versions: P(9.0), Q(10.0), R(11.0)
Reported on: September 30, 2021
Disclosure status: Privately disclosed.
An implicit Intent hijacking vulnerability in Dialer prior to SMR Jan-2022 Release 1 allows unprivileged applications to access contact information.
The patch changes implicit Intent to explicit Intent to prevent unprivileged access to contact.


SVE-2021-23664 (CVE-2022-22271): Arbitrary pointer dereference in TIMA TA

Severity: High
Affected versions: P(9.0), Q(10.0), R(11.0)
Reported on: October 21, 2021
Disclosure status: Privately disclosed.
A missing input validation before memory copy in TIMA trustlet prior to SMR Jan-2022 Release 1 allows attackers to copy data from arbitrary memory.
The patch adds proper input check not to allow arbitrary memory access.


SVE-2021-23486 (CVE-2022-22272): Improper authorization in TelephonyManager

Severity: Moderate
Affected versions: Q(10.0), R(11.0), S(12.0)
Reported on: October 6, 2021
Disclosure status: Privately disclosed.
Improper authorization in TelephonyManager prior to SMR Jan-2022 Release 1 allows attackers to get IMSI without READ_PRIVILEGED_PERMISSION
The patch modified with proper permission.

Some SVE items included in the Samsung Android Security Update cannot be disclosed at this time.


Acknowledgements
We truly appreciate the following researchers for helping Samsung to improve the security of our products.

Dawn Security Lab, JD.com: SVE-2021-23353, SVE-2021-23054
Seonung Jang of STEALIEN: SVE-2021-23365
XiaGuangshuai in Wuheng Lab of ByteDance.: SVE-2021-23023, SVE-2021-23088, SVE-2021-23364, SVE-2021-23486
양성조: SVE-2021-23254
TerrorBlade: SVE-2021-23422
Sergei Volokitin: SVE-2021-23664