Samsung patches security vulnerability in Exynos-based Galaxy devices

Day by day, we always hear incidents of digital vulnerabilities in one’s devices. In order to detect those, Google formed a team named Project Zero. Notably, this Project Zero’s team has found some severe 0-day vulnerabilities in the Exynos modem. Those vulnerabilities were found in various Exynos chipset-featured Galaxy smartphones and wearables in addition to Pixel 6 and Pixel 7 devices. So, let’s take a look at this. 

Informatively, as we have mentioned above, many devices that have Samsung’s Exynos chip in them are prone to nearly 18 vulnerabilities, because of which some Galaxy S, Galaxy A, and Galaxy M series devices are affected. Galaxy devices that are affected by these vulnerabilities are listed below. 

• Galaxy S22
• Galaxy A71
• Galaxy A53
• Galaxy A33
• Galaxy A21
• Galaxy A13
• Galaxy A12
• Galaxy A04
• Galaxy M33
• Galaxy M13
• Galaxy M12
• Exynos W920 SoC featured Galaxy Wearables
• Exynos Auto T5123 chipset featured vehicles

However, there is one problem, security researchers are unable to disclose these vulnerabilities until they are resolved. What’s worse is Samsung doesn’t seem to be concerned about them. Let us tell you, it’s been more than 90 days since the report came to the fore, and for it, the South Korean firm should have provided patches so far, but that didn’t happen so. However, Pixel 7 devices have got a patch for it. 

As Samsung hasn’t provided any patch for this issue, those who are using any of those aforementioned devices should turn off the Wi-Fi calling feature and the VoLTE (Voice-over-LTE) feature and install the latest security patch. 

In the March 2023 security patch, Samsung has addressed five out of the eighteen 0-day vulnerabilities that were discovered in Exynos modems. These vulnerabilities were identified as CVE-2023-26072, CVE-2023-26073, CVE-2023-26074, CVE-2023-26075, and CVE-2023-26076. However, one of the vulnerabilities identified as CVE-2023-24033, which was mentioned by Samsung Semiconductor back in January, may still remain unpatched and has passed Project Zero’s standard 90-day deadline.

It is worth noting that the remaining twelve vulnerabilities have not yet passed the 90-day deadline and have not been assigned CVE-IDs for security reasons. It is unclear whether these vulnerabilities have been patched or not, and for the time being, they remain undisclosed.

Furthermore, Samsung Semiconductor has updated its advisories and removed the Exynos W920 SoC as an affected chip, which Project Zero has followed. Overall, Samsung users need to update their devices with the latest security patch to protect themselves from potential security threats.

Samsung responded in the matter “At the end of last year, we received a security issue notification for Google project zero, and Samsung has provided all customers with a patch version for this vulnerability, and the related issues have now been resolved.”