close

Samsung Mobile Security and Cookies

Our site uses essential cookies only. You can read our Privacy Policy and Cookie Policy for more information.

close

Samsung Mobile Security
Cookie Policy

Updated on Jan 17, 2022

This Cookie Policy describes the different types of cookies that may be used in connection with Samsung Mobile Security website which is owned and controlled by Samsung Electronics Co., Ltd (“Samsung Electronics”). This Cookie Policy also describes how you can manage cookies.

It’s important that you check back often for updates to the Policy as we may change it from time to time to reflect changes to our use of cookies. Please check the date at the top of this page to see when this Policy was last revised. Any changes to this Policy will become effective when we make the revised Policy available on our website.

Samsung Electronics has offices across Europe, so we can ensure that your request or query will be handled by the data protection team based in your region. If you have any questions, the easiest way to contact us is through our Privacy Support Page at https://www.samsung.com/request-desk.

You can also contact us at:

European Data Protection Officer
Samsung Electronics (UK) Limited
Samsung House, 2000 Hillswood Drive, Chertsey, Surrey KT16 0RS

Cookies

Cookies are small files that store information on your computer, TV, mobile phone, or other device. They enable the entity that put the cookie on your device to recognize you across different websites, services, devices, and/or browsing sessions.

We use the following types of cookies on this website:

Essential Cookies: enable you to receive the services you request via our website. Without these cookies, services that you have asked for cannot be provided. For example, these enable to identify users and provide proper service for each user. These cookies are automatically enabled and cannot be turned off because they are essential to enable you to browse our website. Without these cookies this Samsung Mobile Security website could not be provided.

Cookie Domain Purpose
JSESSIONID security.samsungmobile.com to keep login session
lastActivityTime security.samsungmobile.com to save the user's last activity time to automatically logout after 30 minutes of inactivity

Managing Cookies and Other Technologies

You can also update your browser settings at any time, if you want to remove or block cookies from your device (consult your browser's "help" menu to learn how to remove or block cookies). Samsung Electronics is not responsible for your browser settings. You can find good and simple instructions on how to manage cookies on the different types of web browsers at http://www.allaboutcookies.org.

Go straight to the menu Go straight to the text
Home>Security Updates>Firmware Updates

Security Updates

2025Open selected window by year

Close selected window by year
January February March April

Disclaimer

  • Please note that in some cases regular OS upgrades may cause delays to planned security updates. However, users can be rest assured the OS upgrades will include up-to-date security patches when delivered.
  • While we are doing our best to deliver the security patches as soon as possible to all applicable models, delivery time of security patches may vary depending on the regions and models.
  • Some patches to be received from chipset vendors (also known as Device Specific patches) may not be included in the security update package of the month. They will be included in upcoming security update packages as soon as the patches are ready to deliver.

Acknowledgements

Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process. This SMR package includes patches from Google and Samsung.


Google patches include patches up to Android Security Bulletin – April 2025 package. The Bulletin (April 2025) contains the following CVE items:

Critical
CVE-2025-22429, CVE-2025-26416, CVE-2025-22423, CVE-2024-45551

High
CVE-2024-46852, CVE-2024-43051, CVE-2025-22413, CVE-2024-49836, CVE-2024-49838, CVE-2024-50302, CVE-2024-53011, CVE-2024-53024, CVE-2025-20644, CVE-2025-20645, CVE-2025-22416, CVE-2025-22417, CVE-2025-22422, CVE-2025-22424, CVE-2025-22426, CVE-2025-22434, CVE-2025-22437, CVE-2025-22438, CVE-2025-22442, CVE-2024-49722, CVE-2025-22421, CVE-2025-22430, CVE-2025-22431, CVE-2024-40653, CVE-2024-49720, CVE-2024-49730, CVE-2025-22427, CVE-2025-22428, CVE-2025-22432, CVE-2025-22433, CVE-2025-22435, CVE-2025-22439, CVE-2024-53150, CVE-2024-53197, CVE-2024-49848, CVE-2024-49728

Moderate
None

Already included in previous updates
None

Not applicable to Samsung devices
CVE-2024-53014, CVE-2024-53025, CVE-2024-53027, CVE-2025-22418, CVE-2025-22419


※ Please see Android Security Bulletin for detailed information on Google patches.


Samsung Semiconductor patches are also included in this Security Maintenance Release with the following CVE item:

High
CVE-2025-22377

※ Please see Samsung Semiconductor Product Security Update for detailed information on Samsung Semiconductor patches.


Along with Google patches and Samsung Semiconductor patches, Samsung Mobile provides 21 Samsung Vulnerabilities and Exposures (SVE) items described below, in order to improve our customer’s confidence on security of Samsung Mobile devices. Samsung security index (SSI), found in “Security software version”, SMR Apr-2025 Release 1 includes all patches from Samsung and Google. Some of the SVE items may not be included in this package, in case these items were already included in a previous maintenance release.


SVE-2024-1685(CVE-2025-20934): Improper access control in Sticker Center

Severity: Moderate
Affected versions: Android 14
Reported on: August 28, 2024
Disclosure status: Privately disclosed
Improper access control in Sticker Center prior to SMR Apr-2025 Release 1 allows local attackers to access image files with system privilege.
The patch adds proper access control.


SVE-2024-1695(CVE-2025-20935): Improper handling of insufficient permission or privileges in ClipboardService

Severity: High
Affected versions: Android 13, 14, 15
Reported on: August 29, 2024
Disclosure status: Privately disclosed
Improper handling of insufficient permission or privileges in ClipboardService prior to SMR Apr-2025 Release 1 allows local attackers to access files with system privilege. User interaction is required for triggering this vulnerability.
The patch adds proper access control.


SVE-2024-1795(CVE-2025-20936): Improper access control in HDCP trustlet

Severity: Critical
Affected versions: Select Android 13, 14, 15 devices
Reported on: September 13, 2024
Disclosure status: Privately disclosed
Improper access control in HDCP trustlet prior to SMR Apr-2025 Release 1 allows local attackers with shell privilege to escalate their privileges to root.
The patch adds proper access control.


SVE-2024-1920(CVE-2025-20938): Improper access control in SamsungContacts

Severity: Moderate
Affected versions: Android 14
Reported on: October 4, 2024
Disclosure status: Privately disclosed
Improper access control in SamsungContacts prior to SMR Apr-2025 Release 1 allows local attackers to access protected data in SamsungContacts.
The patch adds proper validation logic.


SVE-2024-2341(CVE-2025-20939): Improper authorization in wireless download protocol in Galaxy Watch

Severity: High
Affected versions: Android Watch 14
Reported on: December 13, 2024
Disclosure status: Privately disclosed
Improper authorization in wireless download protocol in Galaxy Watch prior to SMR Apr-2025 Release 1 allows physical attackers to update device unique identifier of Watch devices.
The patch adds proper authorization.


SVE-2024-2368(CVE-2025-20940): Improper handling of insufficient permission in Samsung Device Health Manager Service

Severity: Moderate
Affected versions: Android Watch 14
Reported on: December 17, 2024
Disclosure status: Privately disclosed
Improper handling of insufficient permission in Samsung Device Health Manager Service prior to SMR Apr-2025 Release 1 allows local attackers to access provider in SDMHS.
The patch declares proper permission.


SVE-2024-2403(CVE-2025-20941): Improper access control in InputManager

Severity: Moderate
Affected versions: Android 13, 14, 15
Reported on: December 21, 2024
Disclosure status: Privately disclosed
Improper access control in InputManager to SMR Apr-2025 Release 1 allows local attackers to access the scancode of specific input device.
The patch adds proper access control.


SVE-2024-2445(CVE-2025-20942): Improper verification of intent by broadcast receiver in DeviceIdService

Severity: Moderate
Affected versions: Select Android 13, 14, 15 devices
Reported on: December 25, 2024
Disclosure status: Privately disclosed
Improper verification of intent by broadcast receiver in DeviceIdService prior to SMR Apr-2025 Release 1 allows local attackers to reset OAID.
The patch adds access control.


SVE-2024-2455(CVE-2025-20943): Out-of-bounds write in secfr trustlet

Severity: High
Affected versions: Android 13, 14, 15
Reported on: December 26, 2024
Disclosure status: Privately disclosed
Out-of-bounds write in secfr trustlet prior to SMR Apr-2025 Release 1 allows local privileged attackers to cause memory corruption.
The patch adds proper input validation.


SVE-2024-2456(CVE-2025-20948): Out-of-bounds read in secfr trustlet

Severity: Moderate
Affected versions: Android 13, 14, 15
Reported on: December 26, 2024
Disclosure status: Privately disclosed
Out-of-bounds read in enrollment with cdsp frame secfr trustlet prior to SMR Apr-2025 Release 1 allows local privileged attackers to read out-of-bounds memory.
The patch adds proper input validation.


SVE-2025-0030(CVE-2025-20944): Out-of-bounds read in libsavsac.so

Severity: Moderate
Affected versions: Android 13, 14, 15
Reported on: January 7, 2025
Disclosure status: Privately disclosed
Out-of-bounds read in parsing audio data in libsavsac.so prior to SMR Apr-2025 Release 1 allows local attackers to read out-of-bounds memory.
The patch adds proper boundary check.


SVE-2025-0037(CVE-2025-20945): Improper access control in Galaxy Watch

Severity: Moderate
Affected versions: Android Watch 14
Reported on: January 8, 2025
Disclosure status: Privately disclosed
Improper access control in Galaxy Watch prior to SMR Apr-2025 Release 1 allows local attackers to access sensitive information of Galaxy watch.
The patch adds proper access control.


SVE-2025-0255(CVE-2025-20946): Improper handling of exceptional conditions in pairing specific bluetooth devices in Galaxy Watch Bluetooth pairing

Severity: Moderate
Affected versions: Android Watch 14
Reported on: February 13, 2025
Disclosure status: Privately disclosed
Improper handling of exceptional conditions in pairing specific bluetooth devices in Galaxy Watch Bluetooth pairing prior to SMR Apr-2025 Release 1 allows local attackers to pair with specific bluetooth devices without user interaction.
The patch adds proper handling for pairing bluetooth devices.


SVE-2025-0276(CVE-2025-20947): Improper handling of insufficient permission or privileges in ClipboardService

Severity: High
Affected versions: Android 13, 14, 15
Reported on: February 17, 2025
Disclosure status: Privately disclosed
Improper handling of insufficient permission or privileges in ClipboardService prior to SMR Apr-2025 Release 1 allows local attackers to access image files across multiple users. User interaction is required for triggering this vulnerability.
The patch adds proper access control.


SVE-2025-0383(CVE-2025-20952): Improper access control in Mdecservice

Severity: Moderate
Affected versions: Android 15
Reported on: February 9, 2025
Disclosure status: Privately disclosed
Improper access control in Mdecservice prior to SMR Apr-2025 Release 1 allows local attackers to access arbitrary files with system privilege.
The patch adds proper access control.


Some SVE items included in the Samsung Android Security Update cannot be disclosed at this time.

Acknowledgements
Dawuge: SVE-2025-0383, SVE-2024-1685
Sam of Honor Cyber Security Lab: SVE-2024-1695, SVE-2024-1920, SVE-2025-0276
Vincenzo Bonforte - @Bonfee1: SVE-2024-1795
WatchOut: SVE-2024-2341
localh0ster: SVE-2024-2368, SVE-2025-0037, SVE-2025-0255
Yuhui Cheng: SVE-2024-2403
Stealth Assassin: SVE-2024-2445
HBh25Y of shuffle team: SVE-2024-2455, SVE-2024-2456
Natalie Silvanovich: SVE-2025-0030
Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process. This SMR package includes patches from Google and Samsung.


Google patches include patches up to Android Security Bulletin – March 2025 package. The Bulletin (March 2025) contains the following CVE items:

Critical
CVE-2024-45569, CVE-2025-0074, CVE-2025-0075, CVE-2025-0084, CVE-2025-22403, CVE-2025-22408, CVE-2025-22410, CVE-2025-22411, CVE-2025-22412, CVE-2025-22409, CVE-2025-0081

High
CVE-2024-38420, CVE-2024-38404, CVE-2024-47892, CVE-2024-43705, CVE-2024-49839, CVE-2024-49834, CVE-2024-49832, CVE-2024-49833, CVE-2025-0088, CVE-2024-53104, CVE-2024-46973, CVE-2024-52935, CVE-2024-39441, CVE-2025-20635, CVE-2025-20636, CVE-2024-20141, CVE-2024-20142, CVE-2025-0015, CVE-2024-0032, CVE-2024-43093, CVE-2025-0078, CVE-2025-0080, CVE-2024-43090, CVE-2025-0083, CVE-2025-0086, CVE-2024-49740, CVE-2023-21125, CVE-2025-0079, CVE-2025-22404, CVE-2025-22405, CVE-2025-22406, CVE-2025-0082, CVE-2025-26417, CVE-2025-0092, CVE-2025-0093, CVE-2025-22407, CVE-2025-22414, CVE-2025-22415

Moderate
None

Already included in previous updates
CVE-2024-45571

Not applicable to Samsung devices
CVE-2024-45582, CVE-2024-49843, CVE-2025-20634


※ Please see Android Security Bulletin for detailed information on Google patches.


Along with Google patches, Samsung Mobile provides 7 Samsung Vulnerabilities and Exposures (SVE) items described below, in order to improve our customer’s confidence on security of Samsung Mobile devices. Samsung security index (SSI), found in “Security software version”, SMR Mar-2025 Release 1 includes all patches from Samsung and Google. Some of the SVE items may not be included in this package, in case these items were already included in a previous maintenance release.


SVE-2024-2099(CVE-2025-20903): Improper access control in SecSettingsIntelligence

Severity: High
Affected versions: Android 12, 13, 14, 15
Reported on: November 2, 2024
Disclosure status: Privately disclosed
Improper access control in SecSettingsIntelligence prior to SMR Mar-2025 Release 1 allows local attackers to launch privileged activities. User interaction is required for triggering this vulnerability.
The patch adds proper validation logic.


SVE-2024-2271(CVE-2025-20908): Use of insufficiently random values in Auracast

Severity: Moderate
Affected versions: Android 14, 15
Reported on: December 4, 2024
Disclosure status: Privately disclosed
Use of insufficiently random values in Auracast prior to SMR Mar-2025 Release 1 allows adjacent attackers to access Auracast broadcasting.
The patch improves the use of random values.


SVE-2024-2297(CVE-2025-20909): Use of implicit intent for sensitive communication in Settings

Severity: Moderate
Affected versions: Android 14
Reported on: December 7, 2024
Disclosure status: Privately disclosed
Use of implicit intent for sensitive communication in Settings prior to SMR Mar-2025 Release 1 allows local attackers to access sensitive information.
The patch adds proper validation.


SVE-2024-2340(CVE-2025-20910): Incorrect default permission in Galaxy Watch Gallery

Severity: Moderate
Affected versions: Android Watch 14
Reported on: December 13, 2024
Disclosure status: Privately disclosed
Incorrect default permission in Galaxy Watch Gallery prior to SMR Mar-2025 Release 1 allows local attackers to access data in Galaxy Watch Gallery.
The patch adds proper access control.


SVE-2024-2359(CVE-2025-20911): Improper access control in sem_wifi service

Severity: Moderate
Affected versions: Android Watch 14
Reported on: December 15, 2024
Disclosure status: Privately disclosed
Improper access control in sem_wifi service prior to SMR Mar-2025 Release 1 allows privileged local attackers to update MAC address of Galaxy Watch.
The patch adds proper access control.


SVE-2024-2448(CVE-2025-20912): Incorrect default permission in DiagMonAgent

Severity: Moderate
Affected versions: Android Watch 14
Reported on: December 25, 2024
Disclosure status: Privately disclosed
Incorrect default permission in DiagMonAgent prior to SMR Mar-2025 Release 1 allows local attackers to access data within Galaxy Watch.
The patch adds proper access control.


Some SVE items included in the Samsung Android Security Update cannot be disclosed at this time.


Acknowledgements
Sam of Honor Cyber Security Lab: SVE-2024-2099
Frieder Steinmetz, Dennis Heinze: SVE-2024-2271
011100101001: SVE-2024-2297
localh0ster: SVE-2024-2340, SVE-2024-2448
WatchOut: SVE-2024-2359
Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process. This SMR package includes patches from Google and Samsung.


Google patches include patches up to Android Security Bulletin – February 2025 package. The Bulletin (February 2025) contains the following CVE items:

Critical
CVE-2024-20154

High
CVE-2024-43704, CVE-2024-20143, CVE-2024-20144, CVE-2024-20145, CVE-2024-20105, CVE-2024-20140, CVE-2024-20146, CVE-2024-20148, CVE-2024-21464, CVE-2024-45553, CVE-2024-45558, CVE-2024-49721, CVE-2024-49743, CVE-2024-49746, CVE-2025-0097, CVE-2025-0098, CVE-2025-0099, CVE-2023-40122, CVE-2023-40133, CVE-2023-40134, CVE-2023-40135, CVE-2023-40136, CVE-2023-40137, CVE-2023-40138, CVE-2023-40139, CVE-2024-0037, CVE-2025-0100, CVE-2024-49741, CVE-2025-0094, CVE-2025-0091, CVE-2025-0095, CVE-2024-49723, CVE-2024-49729

Moderate
None

Already included in previous updates
None

Not applicable to Samsung devices
CVE-2025-0096, CVE-2024-49731


※ Please see Android Security Bulletin for detailed information on Google patches.


Along with Google patches, Samsung Mobile provides 7 Samsung Vulnerabilities and Exposures (SVE) items described below, in order to improve our customer’s confidence on security of Samsung Mobile devices. Samsung security index (SSI), found in “Security software version”, SMR Feb-2025 Release 1 includes all patches from Samsung and Google. Some of the SVE items may not be included in this package, in case these items were already included in a previous maintenance release.


SVE-2024-2120(CVE-2025-20904): Out-of-bounds write in mPOS TUI trustlet

Severity: High
Affected versions: Android 12, 13, 14 devices using Qualcomm chipsets
Reported on: November 7, 2024
Disclosure status: Privately disclosed
Out-of-bounds write in mPOS TUI trustlet prior to SMR Feb-2025 Release 1 allows local privileged attackers to cause memory corruption.
The patch adds proper input validation.


SVE-2024-2122(CVE-2025-20905): Out-of-bounds read and write in mPOS TUI trustlet

Severity: High
Affected versions: Android 12, 13, 14 devices using Qualcomm chipsets
Reported on: November 7, 2024
Disclosure status: Privately disclosed
Out-of-bounds read and write in mPOS TUI trustlet prior to SMR Feb-2025 Release 1 allows local privileged attackers to read and write out-of-bounds memory.
The patch adds proper input validation.


SVE-2024-2229(CVE-2025-20906): Improper Export of Android Application Components in Settings

Severity: High
Affected versions: Android Watch 14
Reported on: November 25, 2024
Disclosure status: Privately disclosed
Improper Export of Android Application Components in Settings prior to SMR Feb-2025 Release 1 allows local attackers to enable ADB.
The patch adds proper permission.


SVE-2024-2264(CVE-2025-20907): Improper privilege management in Samsung Find

Severity: Moderate
Affected versions: Android 12, 13 14
Reported on: December 3, 2024
Disclosure status: Privately disclosed
Improper privilege management in Samsung Find prior to SMR Feb-2025 Release 1 allows local privileged attackers to disable Samsung Find.
The patch adds proper privilege management.


Some SVE items included in the Samsung Android Security Update cannot be disclosed at this time.


Acknowledgements
Dawuge of Shuffle Team: SVE-2024-2120, SVE-2024-2122
localh0ster: SVE-2024-2229
hsia.angsh: SVE-2024-2264
Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process. This SMR package includes patches from Google and Samsung.


Google patches include patches up to Android Security Bulletin – January 2025 package. The Bulletin (January 2025) contains the following CVE items:

Critical
CVE-2024-43096, CVE-2024-43770, CVE-2024-43771, CVE-2024-49747, CVE-2024-49748

High
CVE-2024-43077, CVE-2024-43701, CVE-2024-33056, CVE-2024-33044, CVE-2024-43052, CVE-2024-49724, CVE-2024-49732, CVE-2024-49735, CVE-2024-49737, CVE-2024-49738, CVE-2024-49744, CVE-2024-49745, CVE-2024-49733, CVE-2024-49749, CVE-2024-34722, CVE-2024-34730, CVE-2024-43095, CVE-2024-43765, CVE-2024-49742, CVE-2024-49734, CVE-2024-43763, CVE-2024-49736

Moderate
None

Already included in previous updates
CVE-2024-20125

Not applicable to Samsung devices
CVE-2024-43048, CVE-2024-33063


※ Please see Android Security Bulletin for detailed information on Google patches.


Along with Google patches, Samsung Mobile provides 22 Samsung Vulnerabilities and Exposures (SVE) items described below, in order to improve our customer’s confidence on security of Samsung Mobile devices. Samsung security index (SSI), found in “Security software version”, SMR Jan-2025 Release 1 includes all patches from Samsung and Google. Some of the SVE items may not be included in this package, in case these items were already included in a previous maintenance release.


SVE-2024-0274(CVE-2025-20881): Out-of-bounds write in libsthmbc.so

Severity: High
Affected versions: Android 12, 13, 14
Reported on: February 2, 2024
Disclosure status: Privately disclosed
Out-of-bounds write in accessing buffer storing the decoded video frames in libsthmbc.so prior to SMR Jan-2025 Release 1 allows local attackers to execute arbitrary code with privilege. User interaction is required for triggering this vulnerability.
The patch adds proper input validation.


SVE-2024-0308(CVE-2025-20882): Out-of-bounds write in libsthmbc.so

Severity: High
Affected versions: Android 12, 13, 14
Reported on: February 7, 2024
Disclosure status: Privately disclosed
Out-of-bounds write in accessing uninitialized memory for svc1td in libsthmbc.so prior to SMR Jan-2025 Release 1 allows local attackers to execute arbitrary code with privilege. User interaction is required for triggering this vulnerability.
The patch adds proper input validation.


SVE-2024-1217(CVE-2025-20883): Improper access control in SoundPicker

Severity: High
Affected versions: Android 12, 13, 14
Reported on: May 29, 2024
Disclosure status: Privately disclosed
Improper access control in SoundPicker prior to SMR Jan-2025 Release 1 allows physical attackers to access data across multiple user profiles.
The patch adds proper access control.


SVE-2024-1527(CVE-2025-20884): Improper access control in Samsung Message

Severity: High
Affected versions: Android 12, 13, 14
Reported on: July 31, 2024
Disclosure status: Privately disclosed
Improper access control in Samsung Message prior to SMR Jan-2025 Release 1 allows physical attackers to access data across multiple user profiles.
The patch adds proper access control.


SVE-2024-1828(CVE-2025-20885): Out-of-bounds write in softsim trustlet

Severity: High
Affected versions: Select Android 12, 13, 14 devices
Reported on: September 19, 2024
Disclosure status: Privately disclosed
Out-of-bounds write in softsim trustlet prior to SMR Jan-2025 Release 1 allows local privileged attackers to cause memory corruption.
The patch adds proper input validation.


SVE-2024-1834(CVE-2025-20886): Inclusion of sensitive information in test code in softsim trustlet

Severity: Moderate
Affected versions: Select Android 12, 13, 14 devices
Reported on: September 19, 2024
Disclosure status: Privately disclosed
Inclusion of sensitive information in test code in softsim trustlet prior to SMR Jan-2025 Release 1 allows local privileged attackers to get test key.
The patch removes test code.


SVE-2024-1875(CVE-2025-20893): Improper access control in NotificationManager

Severity: Moderate
Affected versions: Android 14
Reported on: September 25, 2024
Disclosure status: Privately disclosed
Improper access control in NotificationManager prior to SMR Jan-2025 Release 1 allows local attackers to change the configuration of notifications.
The patch adds proper access control.


SVE-2024-2153(CVE-2025-20887): Out-of-bounds read in libsthmbc.so

Severity: Moderate
Affected versions: Android 12, 13, 14
Reported on: November 12, 2024
Disclosure status: Privately disclosed
Out-of-bounds read in accessing table used for svp8t in libsthmbc.so prior to SMR Jan-2025 Release 1 allows local attackers to read arbitrary memory. User interaction is required for triggering this vulnerability.
The patch adds proper input validation.


SVE-2024-2154(CVE-2025-20888): Out-of-bounds write in libsthmbc.so

Severity: High
Affected versions: Android 12, 13, 14
Reported on: November 12, 2024
Disclosure status: Privately disclosed
Out-of-bounds write in handling the block size for smp4vtd in libsthmbc.so prior to SMR Jan-2025 Release 1 allows local attackers to execute arbitrary code with privilege. User interaction is required for triggering this vulnerability.
The patch adds proper input validation.


SVE-2024-2156(CVE-2025-20889): Out-of-bounds read in libsthmbc.so

Severity: Moderate
Affected versions: Android 12, 13, 14
Reported on: November 12, 2024
Disclosure status: Privately disclosed
Out-of-bounds read in decoding malformed bitstream for smp4vtd in libsthmbc.so prior to SMR Jan-2025 Release 1 allows local attackers to read arbitrary memory. User interaction is required for triggering this vulnerability.
The patch adds proper input validation.


SVE-2024-2157(CVE-2025-20890): Out-of-bounds write in libsthmbc.so

Severity: High
Affected versions: Android 12, 13, 14
Reported on: November 12, 2024
Disclosure status: Privately disclosed
Out-of-bounds write in decoding frame buffer in libsthmbc.so prior to SMR Jan-2025 Release 1 allows local attackers to execute arbitrary code with privilege. User interaction is required for triggering this vulnerability.
The patch adds proper input validation.


SVE-2024-2158(CVE-2025-20891): Out-of-bounds read in libsthmbc.so

Severity: Moderate
Affected versions: Android 12, 13, 14
Reported on: November 12, 2024
Disclosure status: Privately disclosed
Out-of-bounds read in decoding malformed bitstream of video thumbnails in libsthmbc.so prior to SMR Jan-2025 Release 1 allows local attackers to read arbitrary memory. User interaction is required for triggering this vulnerability.
The patch removed deprecated implementation.


SVE-2024-2171(CVE-2025-20892): Protection Mechanism Failure in bootloader

Severity: High
Affected versions: Select Android 13, 14 devices using MediaTek chipset
Reported on: November 14, 2024
Disclosure status: Privately disclosed
Protection Mechanism Failure in bootloader prior to SMR Jan-2025 Release 1 allows physical attackers to execute fastboot command. User interaction is required for triggering this vulnerability.
The patch enables Samsung bootloader feature.


Some SVE items included in the Samsung Android Security Update cannot be disclosed at this time.

Acknowledgements
ycmint working at ADLab of VenusTech: SVE-2024-1217
Sam of Honor Cyber Security Lab: SVE-2024-1527
tdx: SVE-2024-1828, SVE-2024-1834
hsia.angsh: SVE-2024-1875
Andrea Toska: SVE-2024-2171