• Critical – 5
• High – 35
• Moderate – 0
• Already fixed – 4
• Not applicable – 5
The March 2023 patch includes 23 One UI patches which Samsung calls SVE (Samsung Vulnerabilities and Exposures)
Severe issues that are patched in the March OTA:
Call application
Improper access control vulnerability in Call application prior to SMR Mar-2023 Release 1 allows local attackers to access sensitive information without proper permission. The patch adds proper permission to prevent improper access.
Samsung Keyboard
Improper authorization in Samsung Keyboard prior to SMR Mar-2023 Release 1 allows a physical attacker to access users’ text history on the lock screen. The patch removes the context menu on the lock screen.
Vulnerability in System UI
Improper privilege management vulnerability in PhoneStatusBarPolicy in System UI allows attackers to turn off Do not disturb via unprotected intent. Samsung’s March 2023 patch adds proper protection for the intent.
Galaxy Themes
Path traversal vulnerability in Galaxy Themes Service allows attackers to access arbitrary files with system uid.
The March update adds proper input validation.
Bluetooth
Improper access control vulnerability in Bluetooth prior allows attackers to send files via Bluetooth without related permission. The company has also patched this flaw with the latest OTA release, which affects Galaxy devices running Android 11 to 13.
Use after-free vulnerability in decon driver
This issue affected Galaxy devices running Android 11/12/13 with Exynos 2100 chipset (Galaxy S21 series). It allows attackers to cause memory access faults, which have been fixed with the addition of proper check logic to prevent use after free.
• High – 35
• Moderate – 0
• Already fixed – 4
• Not applicable – 5
The March 2023 patch includes 23 One UI patches which Samsung calls SVE (Samsung Vulnerabilities and Exposures)
Severe issues that are patched in the March OTA:
Call application
Improper access control vulnerability in Call application prior to SMR Mar-2023 Release 1 allows local attackers to access sensitive information without proper permission. The patch adds proper permission to prevent improper access.
Samsung Keyboard
Improper authorization in Samsung Keyboard prior to SMR Mar-2023 Release 1 allows a physical attacker to access users’ text history on the lock screen. The patch removes the context menu on the lock screen.
Vulnerability in System UI
Improper privilege management vulnerability in PhoneStatusBarPolicy in System UI allows attackers to turn off Do not disturb via unprotected intent. Samsung’s March 2023 patch adds proper protection for the intent.
Galaxy Themes
Path traversal vulnerability in Galaxy Themes Service allows attackers to access arbitrary files with system uid.
The March update adds proper input validation.
Bluetooth
Improper access control vulnerability in Bluetooth prior allows attackers to send files via Bluetooth without related permission. The company has also patched this flaw with the latest OTA release, which affects Galaxy devices running Android 11 to 13.
Use after-free vulnerability in decon driver
This issue affected Galaxy devices running Android 11/12/13 with Exynos 2100 chipset (Galaxy S21 series). It allows attackers to cause memory access faults, which have been fixed with the addition of proper check logic to prevent use after free.
