Samsung’s Galaxy updates—or lack thereof—have been making headlines all through October, with the frustrating delay to One UI 7 and Android 15 confirmed at SDC. There was also a warning from Google that attacks had exploited vulnerabilities in Samsung’s own chipsets, urging users to apply October’s security update.
But while Samsung was quick to update risks with its own Exynos processors in October, the critical question for Galaxy users will be whether November’s monthly security release, due imminently will patch another vulnerability now under attack.
This warning impacts multiple Qualcomm chipsets, with the manufacturer advising that “there are indications from Google Threat Analysis Group that CVE-2024-43047 may be under limited, targeted exploitation.” It says it made fixes available to device OEMs in September and has urged them to deploy those patches “on released devices as soon as possible.” Amnesty has also weighed in on this, suggesting targeted attacks on reporters, dissidents and activists.
This active exploitation prompted the US cybersecurity agency to add CVE-2024-43047 to its Known Exploited Vulnerability catalog, mandating all federal employees to update their devices. CISA warned that “multiple Qualcomm chipsets contain a use-after-free vulnerability due to memory corruption in DSP Services while maintaining memory maps of HLOS memory.” This type of memory threat occurs when a pointer to dynamic device memory is not cleared correctly, leaving it open to manipulation by malicious code to access that memory.
This vulnerability was not patched in the October releases from either Android or Samsung, but is likely to be released in November’s Android update. Interestingly this means all users will miss the CISA update deadline of October 29.
The risk for Samsung users is that recent Qualcomm updates have only been made available to Galaxy users a month after appearing in the Android security bulletin, which would leave Galaxy devices vulnerable until December. Samsung warns that “some patches to be received from chipset vendors may not be included in the security update package of the month. They will be included in upcoming security update packages as soon as the patches are ready to deliver.”
Samsung told me it “takes security issues very seriously. We are aware of the report regarding potential vulnerabilities in some of Qualcomm’s chipsets and have been working with Qualcomm to address this issue. We have started rolling out security updates since October, but updates may continue being released at a later date, which will vary by network provider or model. We always recommend that users keep their devices up-to-date with the latest software updates.”
When that update is released, you should check for CVE-2024-43047 in the list of fixes, and also that your device is on the monthly update schedule. If not and if you have reason for concern over spyware or other phone compromises, you should take especially case given the Google and Amnesty warnings.
The above list of affected chipsets is extensive, but it will be the various generations of Snapdragon including the Snapdragon 8 (Gen 1) that will be of particular note, impacting several Samsung devices. You can check whether yours is on that list here.
Updated on October 29 with Samsung’s comments.