Samsung has confirmed a critical update for all eligible Galaxy phones. Just hours after Google warned Android is under attack, with new vulnerabilities exploited in the wild, Samsung also rushed out details of its own updates — much earlier than expected.
Google says CVE-2025-48633 and CVE-2025-48572 “may be under limited, targeted exploitation.” Only the first of these is currently included in Samsung’s update, but it may be the other is not relevant for its devices. We don’t know as yet.
But while one of Google’s Android fixes may be missing, Samsung’s monthly update includes three critical security patches found by Google’s Project Zero.
That team’s remit is to “study zero-day vulnerabilities in the hardware and software systems that are depended upon by users around the world.” That should focus Galaxy minds. Given both the Android and Samsung zero-days, this is an emergency update.
The Android update affects the operating system’s framework, and risks “remote denial of service with no additional execution privileges needed.” There are no further details as yet, and there won’t be until most phones have been updated.
It’s the same story with Samsung’s own update. All three of the vulnerabilities disclosed by Project Zero enable “remote attackers to access out-of-bounds memory.” Take this seriously. All affect the same libimagecodec.quram.so library, which prompted Samsung’s emergency update in October and a U.S. government update warning.
As ever, Samsung’s challenge now is the timing of updates for hundreds of millions of affected devices. Unlike Pixel, the Galaxy-maker can’t update everyone, everywhere as soon as fixes are available. Users need to watch for the update on their phones.