Galaxy Z Fold 7 and Flip 7 July Update Fixes Critical Image-File Exploit
16 hour ago / Read about 30 minute
Source:TechTimes

A man walks past a large electronic screen showing an advertisement for Samsung Galaxy Z Fold7 smartphone at Gwanghwamun square in central Seoul on January 8, 2026. South Korean tech giant Samsung Electronics said on January 8, it expected its fourth-quarter profit to reach a record 20 trillion won ($13.8 billion). Jung Yeon-je/AFP via Getty Images

Samsung began pushing its July 2026 Android security update to Galaxy Z Fold 7 and Galaxy Z Flip 7 owners on July 9, sealing 57 vulnerabilities — five of them critical — including a class of image-parsing flaws that commercial-grade spyware operators used to compromise Samsung Galaxy devices in real-world campaigns last November. If your device is used for banking, work apps, or two-factor authentication, this is an update to install the moment it appears.

The rollout started in South Korea, where Samsung traditionally deploys updates first. Global markets are expected to receive the patch within days. Users who want to check manually can go to Settings, tap Software Update, then tap Download and Install — though a "Your software is up to date" message simply means the staged rollout has not yet reached your device or region.

Korea First, Global Markets Following

Samsung began this month's security cycle a day earlier with the Galaxy S26 and Galaxy S25 series, then extended the rollout to its foldable lineup. The Galaxy S26 series received the July 2026 patch before the foldables. The Galaxy Z Fold 7 update package weighs 573MB and carries firmware version F966NKSSBBZG3; the Galaxy Z Flip 7 package is 443MB at firmware version F766NKSSBBZG3, according to SamMobile's firmware tracking of Samsung Members community reports. Update sizes can vary by market and carrier.

No new features accompany this release. Samsung's July update is a Security Maintenance Release, a category distinct from its One UI feature drops. Owners hoping for Galaxy AI additions or camera improvements will need to wait for a future rollout.

Read more: Samsung Messages Gone Dark: Scam Texts Target Galaxy Users on Shutdown Day

What 57 Vulnerabilities Means in Practice

Samsung's July 2026 Security Maintenance Release includes 41 fixes sourced from Google's Android Security Bulletin and 16 from Samsung's own vulnerability research team, for a total of 57. Of those, five carry a critical severity rating, 42 are rated high, and seven moderate.

The breakdown matters because not all fixes carry the same practical urgency. The five critical CVEs fall into two distinct attack surfaces, and understanding which is which shapes how seriously to treat the delay between bulletin and update.

Critical Flaws: Two Attack Surfaces, Very Different Risk Profiles

Three of the five critical CVEs — CVE-2026-28590, CVE-2026-28618, and CVE-2026-28639 — affect core components of the Android operating system and the Media Framework, as detailed in Samsung's security bulletin. Google classifies these as critical, but the specific exploitation details are not disclosed in either Google's or Samsung's public bulletin. Without confirmed in-the-wild exploitation or proof-of-concept code, these represent significant but abstract risk for most users.

The remaining two critical CVEs are more concrete. CVE-2026-27280 is an out-of-bounds write vulnerability in Adobe's DNG Software Development Kit, versions 1.7.1 2471 and earlier. Opening a malformed DNG image file — the lossless RAW format used by digital photographers and many professional camera apps — can let an attacker execute arbitrary code on the device remotely. CVE-2026-33636 is an out-of-bounds vulnerability in the libpng library, triggered by crafted PNG files on ARM and AArch64 processors when hardware-accelerated color palette extension is enabled; it can cause a denial-of-service crash or enable an attacker to read data from outside the intended memory boundary.

Both are remotely exploitable through normal-looking image files. The DNG flaw is the higher-stakes of the two: it can allow an attacker to run arbitrary code on the device entirely through a manipulated photo.

Samsung's Own Fixes Add More Remote Image-Parsing Exposure

Alongside the five Google-sourced critical CVEs, Samsung's 16 proprietary fixes include two high-severity vulnerabilities in Samsung's own image codec library, libimagecodec.media.quram.so, that deserve attention beyond their formal severity rating.

SVE-2026-1087 is an out-of-bounds write in TIFF format parsing inside that library. SVE-2026-1650 is an out-of-bounds write in DNG format parsing inside the same library. Samsung's own bulletin states that both "allow remote attackers to write out-of-bounds memory." These are high-severity, not critical — but they carry the same remote-exploitation model as the critical CVE-2026-27280: a crafted image file, received over any channel, can trigger the flaw without additional user action beyond opening or previewing the file.

Additional Samsung-specific high-severity fixes address memory corruption in libsavsac.so and libpadm.so (out-of-bounds write vulnerabilities allowing local code execution), a time-of-check time-of-use race condition in the fabricKeymaster trustlet, and an improper authorization flaw in KnoxGuardManager that would let a local attacker bypass the persistence configuration of the application.

Why This Update Class Has a Known Exploitation History

The out-of-bounds write vulnerability class in Samsung's image codec libraries is not theoretical. In November 2025, Palo Alto Networks Unit 42 documented a commercial-grade Android spyware campaign, code-named LANDFALL, that exploited CVE-2025-21042 — an out-of-bounds write vulnerability in Samsung's libimagecodec.quram.so image processing library — to deploy surveillance software on Galaxy devices used by individuals in Iraq, Iran, Turkey, and Morocco.

The exploit was delivered through malformed DNG image files sent over WhatsApp, the same delivery mechanism the July 2026 bulletin now patches against through a different but structurally identical CVE. Samsung patched CVE-2025-21042 in April 2025. A second vulnerability in the same library, CVE-2025-21043, was independently exploited in the wild and patched in September 2025, with the Meta and WhatsApp security teams credited for reporting it. The US Cybersecurity and Infrastructure Security Agency added CVE-2025-21042 to its Known Exploited Vulnerabilities catalog on November 10, 2025.

The July 2026 bulletin addresses new CVEs in the same library class — SVE-2026-1087 and SVE-2026-1650 — alongside the critical Adobe DNG SDK flaw. No evidence of in-the-wild exploitation of the July 2026 CVEs has been published as of this writing, but the documented precedent from the prior two patch cycles makes this family of vulnerabilities one that security researchers and enterprise device administrators treat as urgent regardless of whether exploitation is currently confirmed.

How Android's Dual-Track Patch System Works

Understanding why Samsung patch timing differs from Google's helps set expectations for when to expect the update.

Google publishes its Android Security Bulletin once per month, typically in the first week of the month. Fixes are merged into the Android Open Source Project within 48 hours of bulletin release. Samsung notifies its own security team of the relevant CVEs at least a month before Google publishes them publicly, allowing Samsung to prepare both its Google-sourced fixes and its proprietary Samsung Vulnerability and Exposure (SVE) fixes in a single package. The two are then bundled into a Security Maintenance Release and staged for rollout.

The staged architecture — country first, then region by region — exists partly because Samsung must coordinate with carriers. Carrier-locked devices on networks like AT&T, Verizon, and T-Mobile undergo separate certification testing before the update can deploy, which can add days to weeks to the timeline for some users. Two Galaxy Z Fold 7 owners on different carriers in the same US city may receive the same July 2026 patch on different days. Until the update arrives, keeping Google Play Protect enabled and avoiding sideloaded apps reduces exposure to some of the high-severity vulnerabilities.

Read more: Samsung Galaxy Z Fold 8 Unpacked Set for July 22: New Wider Fold Joins Z Flip Lineup

Timing: Patch Arrives Twelve Days Before the Next Generation

Samsung began this July security rollout with twelve days to spare before Galaxy Unpacked on July 22 in London, where the Galaxy Z Fold 8, Galaxy Z Fold 8 Ultra, and Galaxy Z Flip 8 are expected to be announced. The security update for the Fold 7 and Flip 7 generation underscores Samsung's commitment to its seven-year security update pledge for flagship Galaxy devices — continuing support for the year-old foldables even as successor hardware approaches. Owners of the current generation will continue receiving monthly patches for years after the Fold 8 launch.

How to Get the Update

Open Settings on your Galaxy Z Fold 7 or Z Flip 7 and tap Software Update, then Download and Install. If the update is not yet available, it means the staged rollout has not reached your device or region. Samsung's rollout typically expands from Korea across Asia, then Europe and the Americas, over the days following the initial release. Check again daily until the update appears.

Once available, the install typically takes five to ten minutes depending on the device and connection speed. Do not interrupt the process. Carrier-locked devices may see additional delays while carrier testing completes.


Frequently Asked Questions

What does the critical image-file exploit in this update actually do to my phone?

The most serious image-related flaw in this release, CVE-2026-27280, exploits an out-of-bounds write vulnerability in Adobe's DNG image processing library. If you receive a malformed DNG image file and your phone processes it — through a camera app, photo gallery, or messaging preview — an attacker could execute arbitrary code on your device remotely without any further interaction from you. This is the same category of vulnerability, in Samsung's own image codec library, that was used to deploy LANDFALL commercial spyware on Galaxy devices in 2024 via malformed DNG files sent over WhatsApp. Samsung has patched both the Adobe DNG SDK flaw and two Samsung-specific image codec vulnerabilities in this release.

How do I update my Galaxy Z Fold 7 or Galaxy Z Flip 7?

Go to Settings on your device, tap Software Update, then tap Download and Install. If the update does not appear, Samsung's staged global rollout has not yet reached your region. Check again over the following days. The update package is 573MB on the Fold 7 and 443MB on the Flip 7; connect to Wi-Fi before installing to avoid mobile data charges.

Should I be concerned if I haven't installed this update yet?

Urgency depends on your use case. If you use your Galaxy foldable for mobile banking, corporate email, two-factor authentication, sensitive file storage, or travel with sensitive information, the five critical vulnerabilities and the two high-severity remote image-parsing flaws in this release represent meaningful risk. The image-codec vulnerability class addressed here has been weaponized in real-world spyware campaigns before. Install the patch as soon as it is available in your region. Until then, be especially cautious about opening image files received from unknown contacts via any messaging app.

When will the July 2026 Galaxy update reach my country?

Samsung began rolling out the July 2026 patch in South Korea on July 9, 2026. Global markets typically follow within several days to a week or two, depending on carrier certification schedules. There is no published country-by-country rollout order. Check Settings daily until the update appears on your device.