This month’s security update for Samsung Galaxy users is even more important than we thought. We knew it fixed two actively exploited vulnerabilities that had prompted warnings from the U.S. government. There are just 72 hours left until the August 28 deadline for all federal employees to update their phones or stop using them. But we now know there’s another serious vulnerability that puts millions of users at risk. And the only reason this one hasn’t made headlines is simple: It’s a typo.

ForbesSamsung warns millions of Galaxy users: They will miss the update deadlineFrom Zak Doffman

First, the two government warnings. Samsung’s new update fixes two vulnerabilities in Android firmware – CVE-2024-32896 and CVE-2024-36971, both of which have been exploited in the wild. The first of these was fixed for Pixels in June, but wasn’t acknowledged as a Samsung issue until weeks later, and the update is only available this month. The second vulnerability was only fixed this month, and both Samsung and Google promptly released updates. That’s why there are two Tier 1 fixes in this month’s single release for Samsung Galaxy users.

But there’s a third serious problem for Samsung Galaxy users – at least those with S24s and A54s. CVE-2024-31960 is a high-severity use-after-free (UAF) memory vulnerability in Samsung Semiconductor’s Exynos 1480 and Exynos 2400 that was quietly fixed in the August release. It didn’t show up when searching for Samsung’s August firmware advisory because it was listed as too short a “CVE-2024-3196” and was missing a critical digit. “This security maintenance release also includes patches from Samsung Semiconductor with the following CVE element,” the company said. “High: CVE-2024-3196.”

As Kaspersky explains, a UAF vulnerability “refers to the incorrect use of dynamic memory during program operation” and warns that “an attacker can use UAFs to pass arbitrary code – or a reference to it – to a program and navigate to the beginning of the code using a dangling pointer. In this way, the execution of the malicious code can allow the cybercriminal to gain control over a victim’s system.”

A big compliment to SammyFans on finding the critical missing link: “The changelog of the August 2024 update does not mention the inclusion of an important patch. After digging deeper into the details, I found that the release fixes a serious issue related to the Xclipse GPU driver of Galaxy S24, S24 Plus, and A54 5G.”

While this newly reported issue is limited to specific models, the two critical Android fixes are general, and although the U.S. cybersecurity agency’s warning to upgrade or stop using phones by August 28 is only binding on federal employees, its remit is much broader. “To help any organization better manage vulnerabilities and keep pace with threat activity,” CISA says, “use the KEV Catalog as input to (your) vulnerability management prioritization framework.”

The advice should now be as simple as updating your phone by the date given. But the problem for many users is that there is no update available. Samsung told me it would stick to its monthly update scope and schedule, meaning many users will miss the deadline, although four-year-old S20s have been updated despite deviating from the official monthly schedule, and updates for US users have been accelerated this month. All of this means that most current phones, and certainly the latest flagships, can be patched.

ForbesGoogle warns 2 billion Chrome users – update now, attacks underwayFrom Zak Doffman

Just in the last few days, we’ve seen new Android warnings about an NFC exploit that “puts fingerprints and credit card data at risk,” and every month security reports come out warning users about the growing risk of malware – whether from the Play Store, third-party vendors, or direct installs. Now is not the time to end support.

If you are a federal employee, you must update your phone by Wednesday or stop using it; if you are not a federal employee, you should still update your phone now. It is also recommended that all public and private organizations ensure all Android devices that connect to internal systems or networks will be updated based on this timeline.

If you have a Samsung or other Android device, check your phone now…