PT-2026-57454 · Undefined · Undefined

Published

2026-07-11

·

Updated

2026-07-11

·

CVE-2026-28585

None

No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.
A heads up that there are a ton of CVEs being patched for July 2026 (June was also high). So many that they released the "hot fix" patches in June and still have not updated the Android Patch notes. (Could just be 4th of July holiday, but they are an international firm. No previous delays as long.) Make certain your Google Play system version through the app is at 52.0.x, current is 52.1.26-31 for protection now. 
Update the Samsung firmware security update when it is provided as well as Samsung's Google Play System Update through the software information screen when each is available likely early next month. 
Below is the list for Samsung provided through Google:  
Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process. This SMR package includes patches from Google and Samsung.
Google Patches for the following CVEs from Android Security Bulletin are applied in this Security Maintenance Release - July 2026 Package.
Critical
CVE-2026-27280, CVE-2026-28590, CVE-2026-28618, CVE-2026-28639, CVE-2026-33636
High
CVE-2025-48564, CVE-2025-48565, CVE-2025-48566, CVE-2026-0001, CVE-2026-0010, CVE-2026-0065, CVE-2026-0084, CVE-2026-21383, CVE-2026-24081, CVE-2026-24087, CVE-2026-28582, CVE-2026-28583, CVE-2026-28584, CVE-2026-28585, CVE-2026-28594, CVE-2026-28596, CVE-2026-28599, CVE-2026-28600, CVE-2026-28602, CVE-2026-28603, CVE-2026-28606, CVE-2026-28612, CVE-2026-28614, CVE-2026-28623, CVE-2026-28624, CVE-2026-28630, CVE-2026-28631, CVE-2026-28632, CVE-2026-28633, CVE-2026-28634, CVE-2026-28638, CVE-2026-28642, CVE-2026-28643, CVE-2026-28644, CVE-2026-28649, CVE-2026-28650
Moderate
None
Already included in previous updates
CVE-2026-0008, CVE-2026-20461, CVE-2026-24090
Not applicable to Samsung devices
CVE-2026-20457, CVE-2026-20458, CVE-2026-20459, CVE-2026-20460, CVE-2026-21734, CVE-2026-24091, CVE-2026-25259, CVE-2026-25260

Google AI says none of the new are in the wild yet.
Google AI'S descriptions:
Critical:
	CVE-2026-27280: An out-of-bounds write vulnerability in Adobe's DNG SDK (versions 1.7.1 2471 and earlier). It allows remote attackers to execute arbitrary code simply by having a victim open or preview a malformed DNG image. [1, 2, 3, 4] 	

	CVE-2026-28590 & CVE-2026-28618: Critical remote code execution and elevation of privilege vulnerabilities affecting the core Android operating system and Media Framework. [1] 	

	CVE-2026-28639: A critical vulnerability in the Android System framework that requires no additional execution privileges to potentially execute code. [1, 2] 	

	CVE-2026-33636: An out-of-bounds read and write vulnerability affecting the libpng library on ARM/AArch64 platforms utilizing Neon optimizations. Attackers can trigger this via a malicious paletted PNG file to cause a crash, memory corruption, or potentially leak information. It requires an update to libpng version 1.6.56 or later. [1, 2, 3] 	
Google AI would only summarize the high threats:
The list provided represents a combination of Android (e.g., CVE-2025-48564) and Qualcomm (e.g., CVE-2026-21383) security vulnerabilities....
The provided CVEs generally fall into three primary risk categories:
		Elevation of Privilege (EoP): Many of the bugs (like CVE-2025-48564, CVE-2025-48565, and CVE-2025-48566) reside in the Android Framework and System components. Attackers exploit these (often via race conditions or intent filter bypasses) to silently escalate privileges locally. [1, 2, 3, 4, 5] 		

		Cryptographic Flaws: CVE-2026-21383 relates to Qualcomm's high-level operating system (HLOS). It is triggered by a cryptographic issue when reusing a static initialization vector for AES-GCM key wrapping, compromising encryption security. [1] 		

		System/Memory Management: The remainder largely consists of memory corruptions, kernel logic failures, and media framework vulnerabilities which are continually patched in regular monthly security maintenance releases. [1] 		
Of course, also update your apps through Google Play and Samsung's Store. There is a 0 day exploit in Chrome CVE-2026-11645.
Found an issue in the description? Have something to add? Feel free to write us 👾

Related Identifiers

CVE-2026-28585

Affected Products

Undefined