Millions of Samsung Galaxy phones are now at risk from a severe hardware vulnerability—the second such warning in just the last few weeks. And while the latest monthly security update fixes one of those threats, the other remains a threat. The US government has told users to update their phones by Tuesday October 29—the bad news is this means the deadline has just arrived before the update. Yes, you need to update your phone—but no, right now you can’t.
Both vulnerabilities have prompted active attack warnings. One from Google, which alerted Galaxy users that CVE-2024-44068 has been targeted as “part of an exploit chain” alongside other vulnerabilities. This is a “use after free” threat to Exynos processors, meaning memory access isn’t being shut down after processing, with latent pointers remaining. This can be leveraged by malicious code. It mostly affects older phones and was patched by Samsung is its October update.
The second alert came from Qualcomm and impacts a wide range of mobile devices, not just those from Samsung. But given Samsung’s position as Android’s dominant OEM, the impact on their install base will be greatest. The issue is the same kind of use after free memory vulnerability, and it has also resulted in active attacks.
Earlier this month, Qualcomm acknowledged “indications from Google Threat Analysis Group that CVE-2024-43047 may be under limited, targeted exploitation,” confirming that fixes were made available to device OEMs in September. It urges OEMs to deploy those patches “on released devices as soon as possible.”
CISA—the US cybersecurity agency—added CVE-2024-43047 to its Known Exploited Vulnerability catalog, warning that “multiple Qualcomm chipsets contain a use-after-free vulnerability due to memory corruption in DSP Services while maintaining memory maps of HLOS memory.” All federal employees have been mandated to “apply remediations or mitigations per vendor instructions,” by October 29, “or discontinue use of the product if remediation or mitigations are unavailable.”
Put simply, that means update or stop using your phone. There is no update as yet for Samsung phones. CVE-2024-43047 wasn’t included in the Android or Samsung October updates, and so that deadline is impossible to meet. It is widely expected that the issue will be fixed in Android’s November security update, but there is a good chance Samsung Galaxy users will have to wait another month.
I have asked Samsung to confirm this will be addressed in November. Meantime, the company warns that “some patches to be received from chipset vendors may not be included in the security update package of the month. They will be included in upcoming security update packages as soon as the patches are ready to deliver.”
And so owners of Samsung models as recently as some Galaxy S23 devices are left in the impossible position of an update deadline they simply cannot meet. As I have said before, just make sure you check November’s update as soon as it’s released. Until then, the vulnerability remains a risk.
The better news for Samsung users might be new signs of life for the forthcoming One UI 7 beta, which finally brings Android 15 to Galaxy phones much later than expected. SamMobile has just reported that while the company didn’t reveal the beta at its recent US developer conference, “it appears that it could open the beta program at the SDC 2024 event in South Korea in November.”
Nothing confirmed as yet, but if that does happen it will generate huge levels of excitement as Android’s biggest OEM gets its biggest security update yet. Theft protection, live threat detection and private spaces could be on display soon.