Go straight to the menu Go straight to the text

Security Updates

We truly appreciate the following security researchers for helping us improve the security of our mobile applications and personal computers. We would like to thank them for disclosing the vulnerability reports responsibly and working with us throughout the process.

Please note that while we are doing our best to release the security patches as soon as possible to all applicable devices and services, release time of security patches may vary depending on the device version and models or service versions.


SVE-2021-19144 (CVE-2021-25374): Samsung Members

Severity: High
Resolved Version: 2.4.83.9 in Android O(8.1) and below, and 3.9.00.9 in Android P(9.0) and above
Reported on: October 4, 2020
Description: An improper authorization vulnerability in Samsung Members “samsungrewards” scheme for deeplink in versions 2.4.83.9 in Android O(8.1) and below, and 3.9.00.9 in Android P(9.0) and above allows remote attackers to access a user data related with Samsung Account.
Acknowledgement: Ken Gannon


SVE-2021-17083 (CVE-2021-25375): Samsung Email

Severity: High
Resolved Version: 6.1.41.0
Reported on: March 18, 2020
Description: Using predictable index for attachments in Samsung Email prior to version 6.1.41.0 allows remote attackers to get attachments of another emails when users open the malicious attachment.
Acknowledgement: Juno Im


SVE-2021-18085 (CVE-2021-25376): Samsung Email

Severity: Moderate
Resolved Version: 6.1.41.0
Reported on: June 17, 2020
Description: An improper synchronization logic in Samsung Email prior to version 6.1.41.0 can leak messages in certain mailbox in plain text when STARTTLS negotiation is failed.
Acknowledgement: Damian Poddebniak, Fabian Ising


SVE-2021-20637 (CVE-2021-25377): Samsung Experience Service

Severity: Moderate
Resolved Version: 10.8.0.4 in Android P(9.0) below, and 12.2.0.5 in Android Q(10.0) above
Reported on: February 9, 2021
Description: Intent redirection in Samsung Experience Service versions 10.8.0.4 in Android P(9.0) below, and 12.2.0.5 in Android Q(10.0) above allows attacker to execute privileged action.
Acknowledgement: Sergey Toshin 


SVE-2021-20386 (CVE-2021-25378): SmartThings

Severity: Low
Resolved Version: 1.7.63.6
Reported on: January 19, 2021
Description: Improper access control of certain port in SmartThings prior to version 1.7.63.6 allows remote temporary denial of service.
Acknowledgement: Zhongquan Li ( CytQ) of Xiaomi AIoT Security Lab


SVE-2021-20601 (CVE-2021-25379): Gallery

Severity: Moderate
Resolved Version: 5.4.16.1
Reported on: February 5, 2021
Description: Intent redirection vulnerability in Gallery prior to version 5.4.16.1 allows attacker to execute privileged action.
Acknowledgement: Sergey Toshin


SVE-2021-19830 (CVE-2021-25380): Bixby

Severity: Moderate
Resolved Version: 3.0.53.02
Reported on: December 5, 2020
Description: Improper handling of exceptional conditions in Bixby prior to version 3.0.53.02 allows attacker to execute the actions registered by the user.
Acknowledgement: Gregory DRAPERI


SVE-2021-19503 (CVE-2021-25381): Samsung Account

Severity: Moderate
Resolved Version: 10.8.0.4 in Android P(9.0) and below, and 12.1.1.3 in Android Q(10.0) and above
Reported on: November 2, 2020
Description: Using unsafe PendingIntent in Samsung Account in versions 10.8.0.4 in Android P(9.0) and below, and 12.1.1.3 in Android Q(10.0) and above allows local attackers to perform unauthorized action without permission via hijacking the PendingIntent.
Acknowledgement: hard_______


SVE-2021-19656 (CVE-2021-25373): Customization Service

Severity: Moderate
Resolved Version: 2.2.02.1 in Android O(8.x), 2.4.03.0 in Android P(9.0), 2.7.02.1 in Android Q(10.0) and 2.9.01.1 in Android R(11.0)
Reported on: November 14, 2020
Description: Using unsafe PendingIntent in Customization Service prior to version 2.2.02.1 in Android O(8.x), 2.4.03.0 in Android P(9.0), 2.7.02.1 in Android Q(10.0) and 2.9.01.1 in Android R(11.0) allows local attackers to perform unauthorized action without permission via hijacking the PendingIntent.
Acknowledgement: hard_______


SVE-2021-19543 (CVE-2021-25352): Bixby Voice

Severity: Moderate
Resolved Version: 3.0.52.14
Reported on: November 4, 2020
Description: A vulnerability using PendingIntent with implicit intent in Bixby Voice prior to version 3.0.52.14 allows attackers to execute privileged action by hijacking and modifying the intent.
Acknowledgement: hard_______


SVE-2021-19505 (CVE-2021-25354): Samsung Internet

Severity: Moderate
Resolved Version: 13.2.1.46
Reported on: November 3, 2020
Description: Improper input check in Samsung Internet prior to version 13.2.1.46 allows attackers to launch non-exported activity in Samsung Browser via malicious deeplink.
Acknowledgement: Ken Gannon


SVE-2021-18156 (CVE-2021-25353): Galaxy Themes

Severity: Moderate
Resolved Version: 5.2.00.1215
Reported on: June 25, 2020
Description: Using empty PendingIntent in Galaxy Themes prior to version 5.2.00.1215 allows local attackers to read/write private file directories of Galaxy Themes application without permission via hijacking the PendingIntent.
Acknowledgement: hard_______


SVE-2021-19622 (CVE-2021-25349): Slow Motion Editor

Severity: Moderate
Resolved Version: 3.5.18.5 in Android Q(10.0)
Reported on: November 10, 2020
Description: Using unsafe PendingIntent in Slow Motion Editor prior to version 3.5.18.5 allows local attackers unauthorized action without permission via hijacking the PendingIntent.
Acknowledgement: hard_______


SVE-2021-18944 (CVE-2021-25350): Samsung Account

Severity: Moderate
Resolved Version: 12.1.1.3 in Android Q(10.0)
Reported on: September 16, 2020
Description: Information Exposure vulnerability in Samsung Account prior to version 12.1.1.3 allows physically proximate attackers to access user information via log.
Acknowledgement: haiping


SVE-2021-18858 (CVE-2021-25351): Samsung Account

Severity: Moderate
Resolved Version: 10.7.07 in Android P(9.0) and below, and 12.1.1.3 in Android Q(10.0)
Reported on: September 10, 2020
Description: Improper Access Control in EmailValidationView in Samsung Account prior to version 10.7.0.7 and 12.1.1.3 allows physically proximate attackers to log out user account on device without user password.
Acknowledgement: Alexey Dorogin


SVE-2021-19533 (CVE-2021-25355): Samsung Notes

Severity: Moderate
Resolved Version: 4.2.00.22
Reported on: November 3, 2020
Description: Using unsafe PendingIntent in Samsung Notes prior to version 4.2.00.22 allows local attackers unauthorized action without permission via hijacking the PendingIntent.
Acknowledgement: hard_______


SVE-2021-18723 (CVE-2021-25366): Samsung Internet

Severity: Low
Resolved Version: 13.2.1.70
Reported on: August 27, 2020
Description: Improper access control in Samsung Internet prior to version 13.2.1.70 allows physically proximate attackers to bypass the secret mode's authentication.
Acknowledgement: Harsh Tyagi


SVE-2021-19506 (CVE-2021-25367): Samsung Notes

Severity: Low
Resolved Version: 4.2.00.22
Reported on: November 3, 2020
Description: Path Traversal vulnerability in Samsung Notes prior to version 4.2.00.22 allows attackers to access local files without permission.
Acknowledgement: Ken Gannon


SVE-2021-19530 (CVE-2021-25368): Samsung Cloud

Severity: Low
Resolved Version: 4.7.0.3
Reported on: November 3, 2020
Description: Hijacking vulnerability in Samsung Cloud prior to version 4.7.0.3 allows attackers to intercept when the provider is executed.
Acknowledgement: Zhongquan Li


SVE-2021-19532 (CVE-2021-25341): S Assistant

Severity: Low
Resolved Version: 6.5.01.22
Reported on: November 3, 2020
Description: Calling of non-existent provider in S Assistant prior to version 6.5.01.22 allows unauthorized actions including denial of service attack by hijacking the provider.
Acknowledgement: Zhongquan Li @ Xiaomi AIoT Security Lab


SVE-2021-19474 (CVE-2021-25348): Samsung Internet

Severity: Low
Resolved Version: 13.0.1.60
Reported on: October 30, 2020
Description: Improper permission grant check in Samsung Internet prior to version 13.0.1.60 allows access to files in internal storage without authorized STORAGE permission.
Acknowledgement: Abdulla Aldoseri


SVE-2021-18825 (CVE-2021-25331, CVE-2021-25332, CVE-2021-25333): Samsung Pay Mini

Severity: Moderate
Resolved Version: 4.0.14
Reported on: September 7, 2020
Description: Two moderate vulnerabilities and one low vulnerability with improper access control in Samsung Pay mini application prior to v4.0.14 allows unauthorized access to sensitive information over the lockscreen in specific condition.
Acknowledgement: Yogesh Anil Tantak


SVE-2021-18629 (CVE-2021-25342, CVE-2021-25343): SMP SDK, Samsung Members

Severity: Low
Resolved Version: SMP SDK[3.0.9], Samsung Members[2.4.81.13 in Android O(8.1) and below, and 3.8.00.13 in Android P(9.0) and above]
Reported on: August 11, 2020
Description: Calling of non-existent provider in Samsung Members prior to version 2.4.81.13 (in Android O(8.1) and below) and 3.8.00.13 (in Android P(9.0) and above) allows unauthorized actions including denial of service attack by hijacking the provider.
Acknowledgement: mykola