Samsung releases Jylu security update, still missing the fix for critical CVE-2024-32896

Samsung has released its July security update, but there's a significant issue that Galaxy device users need to be aware of—a critical vulnerability remains unaddressed. The flaw, which was the basis of June’s Pixel zero-day warning, has been patched for Pixel devices but not for Samsung devices.

The critical vulnerability, tracked as CVE-2024-32896 (CVSS score 7.8), remains unpatched on Samsung devices. Google had previously warned that this vulnerability “may be under limited, targeted exploitation,” and the US government mandated that federal employees update their Pixel devices by July 4 or discontinue use.

Another serious vulnerability that remains a threat to Samsung and other Android devices, CVE-2024-29745 is patched only on Google Pixels. It requires a firmware update, meaning it needs to be patched OEM by OEM, which will take time.

The update includes four other critical Android security fixes (CVE-2023-43556, CVE-2023-43538, CVE-2023-43551, CVE-2024-31320). Three of these address Qualcomm vulnerabilities delayed from the June update, while the fourth critical update, CVE-2024-31320, is a new detection. This issue impacts Android’s underlying framework and could lead to a local escalation of privilege without additional execution privileges.

Samsung has also addressed critical issues within its own ecosystem. This includes fixing an input validation risk that could allow remote attackers to execute arbitrary code by compromising secure control data on the device. However, user interaction is required to trigger this vulnerability.

While Google has already patched these vulnerabilities for Pixel devices, it could be months before a fix is available for other Android OEMs, including Samsung.