Severity by source
AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N
Lifecycle Timeline
3DescriptionCVE.org
Improper verification of intent by broadcast receiver in Settings prior to SMR Mar-2026 Release 1 allows local attacker to launch arbitrary activity with Settings privilege. User interaction is required for triggering this vulnerability.
AnalysisAI
A broadcast receiver in Android Settings fails to properly verify intents prior to the March 2026 Security Maintenance Release 1, allowing a local attacker with limited privileges to launch arbitrary activities with Settings-level permissions. The vulnerability requires user interaction to trigger and carries a CVSS 4.0 score of 6.8, reflecting high confidentiality and integrity impact. No public exploit or KEV designation is currently documented, but the local attack vector and privilege escalation potential warrant prompt patching.
Technical ContextAI
This vulnerability affects Android's Settings application broadcast receiver mechanism, which is responsible for handling inter-process communication (IPC) via Intent broadcasts. The root cause is improper verification of incoming intents before processing, classified under CWE categories related to insufficient input validation and improper access control on IPC mechanisms. Broadcast receivers are a standard Android IPC component that listen for system-wide or application-specific broadcasts; without strict intent verification (typically via permission checks, action whitelisting, or signature validation), a malicious local application can craft a spoofed broadcast to trigger unintended Settings functionality. The Settings application runs with system privileges, making it a high-value target for privilege escalation attacks. The vulnerability manifests in Android versions prior to the March 2026 SMR Release 1 patch level, affecting multiple Android device manufacturers and models that have not yet applied this security update.
RemediationAI
Apply the March 2026 Security Maintenance Release 1 patch or later to your Android device as soon as available from your device manufacturer or carrier. Users of Nexus/Pixel devices should check for over-the-air (OTA) updates through Settings > About Phone > System Update, or manually download factory images from https://developers.google.com/android/images. Third-party device manufacturers should obtain and deploy the updated Settings package from their OEM or Google's Android release channels. Until patching is feasible, restrict installation of untrusted applications from outside the Google Play Store, enforce managed device policies via MDM solutions to disable sideloading, and monitor device activity logs for suspicious Settings-related IPC attempts. For enterprise deployments, consider requiring device administrator privileges to be granted only after thorough vetting and mandate regular security update compliance via conditional access policies.
More in Samsung Mobile Devices
View allLocal privilege escalation in Samsung Galaxy Watch allows unprivileged local attackers to execute arbitrary code with sy
Incorrect privilege assignment in the Telephony component of Samsung Mobile devices prior to SMR Jun-2026 Release 1 perm
Improper handling of insufficient permissions in Routines prior to SMR May-2026 Release 1 allows local attackers to acce
Insufficient verification of data authenticity in PackageManagerService prior to SMR Mar-2026 Release 1 allows local att
Out-of-bounds write in SveService prior to SMR May-2026 Release 1 allows local privileged attackers to execute arbitrary
External control of file name in Samsung AODManager prior to April 2026 SMR Release 1 allows privileged local attackers
Incorrect default permissions in FactoryCamera prior to SMR May-2026 Release 1 allows local attacker to access unique id
Improper input validation in Samsung Mobile Retail Mode prior to SMR April 2026 Release 1 allows local attackers with li
Bluetooth maintenance mode in Samsung Mobile devices prior to April 2026 SMR Release 1 permits physical attackers to byp
Improper input validation in Samsung Mobile devices prior to SMR April 2026 Release 1 allows physical attackers to bypas
Improper authorization in Samsung's AppBlock application on Android 15 and 16 devices allows a local, low-privileged att
Improper input validation in Routines prior to SMR May-2026 Release 1 allows physical attackers to launch privileged act
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-12293