close

Samsung Mobile Security and Cookies

Our site uses essential cookies only. You can read our Privacy Policy and Cookie Policy for more information.

close

Samsung Mobile Security
Cookie Policy

Updated on Jan 17, 2022

This Cookie Policy describes the different types of cookies that may be used in connection with Samsung Mobile Security website which is owned and controlled by Samsung Electronics Co., Ltd (“Samsung Electronics”). This Cookie Policy also describes how you can manage cookies.

It’s important that you check back often for updates to the Policy as we may change it from time to time to reflect changes to our use of cookies. Please check the date at the top of this page to see when this Policy was last revised. Any changes to this Policy will become effective when we make the revised Policy available on our website.

Samsung Electronics has offices across Europe, so we can ensure that your request or query will be handled by the data protection team based in your region. If you have any questions, the easiest way to contact us is through our Privacy Support Page at https://www.samsung.com/request-desk.

You can also contact us at:

European Data Protection Officer
Samsung Electronics (UK) Limited
Samsung House, 2000 Hillswood Drive, Chertsey, Surrey KT16 0RS

Cookies

Cookies are small files that store information on your computer, TV, mobile phone, or other device. They enable the entity that put the cookie on your device to recognize you across different websites, services, devices, and/or browsing sessions.

We use the following types of cookies on this website:

Essential Cookies: enable you to receive the services you request via our website. Without these cookies, services that you have asked for cannot be provided. For example, these enable to identify users and provide proper service for each user. These cookies are automatically enabled and cannot be turned off because they are essential to enable you to browse our website. Without these cookies this Samsung Mobile Security website could not be provided.

Cookie Domain Purpose
JSESSIONID security.samsungmobile.com to keep login session
lastActivityTime security.samsungmobile.com to save the user's last activity time to automatically logout after 30 minutes of inactivity

Managing Cookies and Other Technologies

You can also update your browser settings at any time, if you want to remove or block cookies from your device (consult your browser's "help" menu to learn how to remove or block cookies). Samsung Electronics is not responsible for your browser settings. You can find good and simple instructions on how to manage cookies on the different types of web browsers at http://www.allaboutcookies.org.

Go straight to the menu Go straight to the text
Home>Security Updates>Other Updates

Security Updates

2023Open selected window by year

Close selected window by year
January February March April May

We truly appreciate the following security researchers for helping us improve the security of our mobile applications, wearable devices and personal computers. We would like to thank them for disclosing the vulnerability reports responsibly and working with us throughout the process.

Please note that while we are doing our best to release the security patches as soon as possible to all applicable devices and services, release time of security patches may vary depending on the device version and models or service versions.


Android Applications Updates

SVE-2022-2478(CVE-2023-21505): Improper access control in Samsung Core Service

Severity: Moderate
Resolved version: 2.1.00.36
Reported on: October 14, 2022
Description: Improper access control in Samsung Core Service prior to version 2.1.00.36 allows attacker to write arbitrary file in sandbox.
The patch add proper access control logic.
Acknowledgement: Stealth Assassin


SVE-2023-0313(CVE-2023-21506): Out-of-bounds Write vulnerability in bc_tui trustlet from Samsung Blockchain Keystore

Severity: Critical
Resolved version: 1.3.12.1
Reported on: February 23, 2023
Description: Out-of-bounds Write vulnerability while processing BC_TUI_CMD_SEND_RESOURCE_DATA_ARRAY command in bc_tui trustlet from Samsung Blockchain Keystore prior to version 1.3.12.1 allows local attacker to execute arbitrary code.
The patch adds proper boundary check to prevent arbitrary code execution.
Acknowledgement: Lumine, Markak, F4lt, and Kang from Certik Skyfall Team


SVE-2023-0348(CVE-2023-21507): Out-of-bounds Read vulnerability in bc_tui trustlet from Samsung Blockchain Keystore

Severity: Critical
Resolved version: 1.3.12.1
Reported on: March 1, 2023
Description: Out-of-bounds Read vulnerability while processing BC_TUI_CMD_SEND_RESOURCE_DATA_ARRAY command in bc_tui trustlet from Samsung Blockchain Keystore prior to version 1.3.12.1 allows local attacker to read arbitrary memory.
The patch adds proper boundary check to prevent arbitrary memory read.
Acknowledgement: Lumine, Markak, F4lt, and Kang from Certik Skyfall Team


SVE-2023-0361(CVE-2023-21508): Out-of-bounds Write vulnerability in bc_tui trustlet from Samsung Blockchain Keystore

Severity: Critical
Resolved version: 1.3.12.1
Reported on: March 3, 2023
Description: Out-of-bounds Write vulnerability while processing BC_TUI_CMD_SEND_RESOURCE_DATA command in bc_tui trustlet from Samsung Blockchain Keystore prior to version 1.3.12.1 allows local attacker to execute arbitrary code.
The patch adds proper boundary check to prevent arbitrary code execution.
Acknowledgement: Lumine, Markak, F4lt, and Kang from Certik Skyfall Team


SVE-2023-0365(CVE-2023-21509): Out-of-bounds Write vulnerability in bc_tui trustlet from Samsung Blockchain Keystore

Severity: Critical
Resolved version: 1.3.12.1
Reported on: March 4, 2023
Description: Out-of-bounds Write vulnerability while processing BC_TUI_CMD_UPDATE_SCREEN in bc_tui trustlet from Samsung Blockchain Keystore prior to version 1.3.12.1 allows local attacker to execute arbitrary code.
The patch adds proper boundary check to prevent arbitrary code execution.
Acknowledgement: Lumine, Markak, F4lt, and Kang from Certik Skyfall Team


SVE-2023-0369(CVE-2023-21510): Out-of-bounds Read vulnerability in bc_tui trustlet from Samsung Blockchain Keystore

Severity: High
Resolved version: 1.3.12.1
Reported on: March 5, 2023
Description: Out-of-bounds Read vulnerability while processing BC_TUI_CMD_UPDATE_SCREEN in bc_tui trustlet from Samsung Blockchain Keystore prior to version 1.3.12.1 allows local attacker to read arbitrary memory.
The patch adds proper boundary check to prevent arbitrary memory read.
Acknowledgement: Lumine, Markak, F4lt, and Kang from Certik Skyfall Team


SVE-2023-0405(CVE-2023-21511): Out-of-bounds Read vulnerability in bc_core trustlet from Samsung Blockchain Keystore

Severity: High
Resolved version: 1.3.12.1
Reported on: March 9, 2023
Description: Out-of-bounds Read vulnerability while processing CMD_COLDWALLET_BTC_SET_PRV_UTXO in bc_core trustlet from Samsung Blockchain Keystore prior to version 1.3.12.1 allows local attacker to read arbitrary memory.
The patch adds proper boundary check to prevent arbitrary memory read.
Acknowledgement: Lumine, Markak, F4lt, and Kang from Certik Skyfall Team


Android Applications Updates

SVE-2022-2669(CVE-2023-21481): Improper URL input validation vulnerability in Samsung Account

Severity: High
Resolved version: 14.1.0.0
Reported on: November 10, 2022
Description: Improper URL input validation vulnerability in Samsung Account application prior to version 14.1.0.0 allows remote attackers to get sensitive information.
The patch adds proper URL input validation.
Acknowledgement: hackhackdump


SVE-2022-3068(CVE-2023-21482): Missing Authorization in Camera

Severity: Moderate
Resolved version: 11.1.02.18 in Android 11, 12.1.03.8 in Android 12 and 13.1.01.4 in Android 13
Reported on: December 30, 2022
Description: Missing authorization vulnerability in Camera prior to versions 11.1.02.18 in Android 11, 12.1.03.8 in Android 12 and 13.1.01.4 in Android 13 allows physical attackers to install package through Galaxy store before completion of Setup wizard.
The patch address to block entry point of the vulnerability.
Acknowledgement: SeungHyun Cho @netkingj


SVE-2023-0055(CVE-2023-21483): Improper Access Control vulnerability in Galaxy Store

Severity: Moderate
Resolved version: 4.5.53.6
Reported on: January 8, 2023
Description: Improper Access Control vulnerability in Galaxy Store prior to version 4.5.53.6 allows local attacker to access protected data using exported service.
The patch fixes incorrect implementation of unzip logic.
Acknowledgement: Dawuge of Pangu Team


Android Applications Updates

SVE-2022-2106(CVE-2023-21462): The sensitive information exposure vulnerability in Quick Share Agent

Severity: Moderate
Resolved version: 3.5.14.18 in Android 12 and 3.5.16.20 in Android 13
Reported on: September 3, 2022
Description: The sensitive information exposure vulnerability in Quick Share Agent prior to versions 3.5.14.18 in Android 12 and 3.5.16.20 in Android 13 allows to local attacker to access MAC address without related permission.
The patch addresses the data exposure in Quick Share Agent.
Acknowledgement: dg


SVE-2022-2304(CVE-2023-21463): Improper access control vulnerability in MyFiles application

Severity: Moderate
Resolved version: 12.2.09.0 in Android 11, 13.1.03.501 in Android 12 and 14.1.03.0 in Android 13
Reported on: September 18, 2022
Description: Improper access control vulnerability in MyFiles application prior to versions 12.2.09.0 in Android 11, 13.1.03.501 in Android 12 and 14.1.03.0 in Android 13 allows local attacker to get sensitive information of secret mode in Samsung Internet application with specific conditions.
The patch deletes temporary files properly to prevent sensitive information exposure.
Acknowledgement: Harsh Tyagi


SVE-2022-2610(CVE-2023-21465): Improper access control vulnerability in Bixby Touch

Severity: Moderate
Resolved version: 3.2.02.5
Reported on: November 3, 2022
Description: Improper access control vulnerability in BixbyTouch prior to version 3.2.02.5 in China models allows untrusted applications access local files.
The patch adds proper access control.
Acknowledgement: hackhackdump


SVE-2022-2744(CVE-2023-21464): Improper access control in Samsung Calendar

Severity: Moderate
Resolved version: 12.4.02.9000 in Android 13 and 12.3.08.2000 in Android 12
Reported on: November 22, 2022
Description: Improper access control in Samsung Calendar prior to versions 12.4.02.9000 in Android 13 and 12.3.08.2000 in Android 12 allows local attacker to configure improper status.
The patch removes unnecessary code.
Acknowledgement: hackhackdump


Android Applications Updates

SVE-2022-0696(CVE-2023-21441): Insufficient Verification of Data Authenticity vulnerability in Routine

Severity: Moderate
Resolved version: 2.6.30.6 in Android Q(10), 3.1.21.10 in Android R(11) and 3.5.2.23 in Android S(12)
Reported on: March 22, 2022
Description: Insufficient Verification of Data Authenticity vulnerability in Routine prior to versions 2.6.30.6 in Android Q(10), 3.1.21.10 in Android R(11) and 3.5.2.23 in Android S(12) allows local attacker to access protected files via unused code.
The patch deletes unused code.
Acknowledgement: Dawuge of Pangu Team


SVE-2022-1583(CVE-2023-21442): Improper access control vulnerability in Runestone application

Severity: Moderate
Resolved version: 2.9.09.003 in Android R(11) and 3.2.01.007 in Android S(12)
Reported on: June 29, 2022
Description: Improper access control vulnerability in Runestone application prior to version 2.9.09.003 in Android R(11) and 3.2.01.007 in Android S(12) allows local attackers to get device location information.
The patch adds an explicit intent to prevent improper access.
Acknowledgement: hsia.angsh


SVE-2022-2370(CVE-2023-21444, CVE-2023-21443): Improper cryptographic implementation in Samsung Flow

Severity: High
Resolved version: Samsung Flow for Android 4.9.04, Samsung Flow for Window 4.9.14.0
Reported on: September 27, 2022
Description: Improper cryptographic implementation in Samsung Flow for Android 4.9.04 and Samsung Flow for Window 4.9.14.0 allows adjacent attackers to decrypt encrypted messages or inject commands.
The patch adds proper cryptographic implementation.
Acknowledgement: Shai Shapira


SVE-2022-2398(CVE-2023-21445): Improper access control vulnerability in MyFiles

Severity: Moderate
Resolved version: 12.2.09 in Android R(11), 13.1.03.501 in Android S(12) and 14.1.00.422 in Android T(13)
Reported on: September 30, 2022
Description: Improper access control vulnerability in MyFiles prior to versions 12.2.09 in Android R(11), 13.1.03.501 in Android S(12) and 14.1.00.422 in Android T(13) allows local attacker to write file with MyFiles privilege via implicit intent.
The patch adds proper access control to use explicit intent.
Acknowledgement: Oversecured Inc


SVE-2022-2399(CVE-2023-21446): Improper input validation in MyFiles

Severity: Moderate
Resolved version: 12.2.09 in Android R(11), 13.1.03.501 in Android S( 12) and 14.1.00.422 in Android T(13)
Reported on: September 30, 2022
Description: Improper input validation in MyFiles prior to version 12.2.09 in Android R(11), 13.1.03.501 in Android S( 12) and 14.1.00.422 in Android T(13) allows local attacker to access data of MyFiles.
The patch adds proper validation logic to prevent unauthorized access.
Acknowledgement: Oversecured Inc


SVE-2022-2477(CVE-2023-21447): Improper access control vulnerabilities in Samsung Cloud

Severity: Moderate
Resolved version: 5.3.0.32
Reported on: October 14, 2022
Description: Improper access control vulnerabilities in Samsung Cloud prior to version 5.3.0.32 allows local attackers to access information with Samsung Cloud's privilege via implicit intent.
The patch adds proper access control.
Acknowledgement: Zhang Qing and Wang Kailong


SVE-2022-2585(CVE-2023-21448): Path traversal vulnerability in Samsung Cloud

Severity: Moderate
Resolved version: 5.3.0.32
Reported on: November 1, 2022
Description: Path traversal vulnerability in Samsung Cloud prior to version 5.3.0.32 allows attacker to access specific png file.
The patch adds proper validation logic to prevent access specific png file.
Acknowledgement: Dawuge of Pangu Team


SVE-2022-3019(CVE-2023-21450): Missing Authorization vulnerability in One Hand Operation +

Severity: Moderate
Resolved version: 6.1.21
Reported on: December 22, 2022
Description: Missing Authorization vulnerability in One Hand Operation + prior to version 6.1.21 allows multi-users to access owner's widget without authorization via gesture setting.
The patch blocks access One Hand Operation + contents for multi-user.
Acknowledgement: Louix Chazique


Android Applications Updates
SVE-2022-0884(CVE-2023-21431): Improper input validation in Bixby Vision

Severity: Moderate
Resolved version: 3.7.70.17
Reported on: April 8, 2022
Description: Improper input validation in Bixby Vision prior to version 3.7.70.17 allows attacker to access data of Bixby Vision.
The patch adds proper validation logic to prevent unauthorized access.
Acknowledgement: Sergey Toshin


SVE-2022-1703(CVE-2023-21432): Improper access control vulnerabilities in Smart Things

Severity: Moderate
Resolved version: 1.7.93
Reported on: July 15, 2022
Description: Improper access control vulnerabilities in Smart Things prior to 1.7.93 allows to attacker to invite others without authorization of the owner.
The patch adds the proper validation of the owner location.
Acknowledgement: Martin Heyden


SVE-2022-2766(CVE-2023-21433): Improper access control vulnerability in Galaxy Store

Severity: High
Resolved version: 4.5.49.8
Reported on: November 25, 2022
Description: Improper access control vulnerability in Galaxy Store prior to version 4.5.49.8 allows local attackers to install applications from Galaxy Store.
The patch adds proper permission to prevent unauthorized access.
Acknowledgement: Ken Gannon


SVE-2022-2854(CVE-2023-21434): Improper input validation in Galaxy Store

Severity: Moderate
Resolved version: 4.5.49.8
Reported on: December 5, 2022
Description: Improper input validation vulnerability in Galaxy Store prior to version 4.5.49.8 allows local attackers to execute JavaScript by launching a web page.
The patch changes logic to prevent arbitrary web page execution.
Acknowledgement: Ken Gannon


SVE-2022-2902(CVE-2023-21514): Improper access control vulnerability in Galaxy Store

Severity: Critical
Resolved version: 4.5.49.8
Reported on: December 7, 2022
Description: Improper scheme validation from InstantPlay Deeplink in Galaxy Store prior to version 4.5.49.8 allows attackers to execute javascript API to install APK from Galaxy Store.
This vulnerability was patched by adding proper scheme check logic.
Acknowledgement: Chim working with Zero Day Initiative


SVE-2022-2910(CVE-2023-21515): Improper access control vulnerability in Galaxy Store

Severity: Critical
Resolved version: 4.5.49.8
Reported on: December 8, 2022
Description: InstantPlay which included vulnerable script which could execute javascript in Galaxy Store prior to version 4.5.49.8 allows attackers to execute javascript API to install APK from Galaxy Store.
This vulnerability was patched by adding proper URL validation logic.
Acknowledgement: Interrupt Labs working with Zero Day Initiative


SVE-2022-2916(CVE-2023-21516): Improper access control vulnerability in Galaxy Store

Severity: Critical
Resolved version: 4.5.49.8
Reported on: December 9, 2022
Description: XSS vulnerability from InstantPlay in Galaxy Store prior to version 4.5.49.8 allows attackers to execute javascript API to install APK from Galaxy Store.
This vulnerability was patched by adding proper URL validation logic.
Acknowledgement: Pentest working with Zero Day Initiative