Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
Improper authorization in Settings prior to SMR Mar-2026 Release 1 allows local attacker to disable configuring the background data usage of application.
AnalysisAI
An improper authorization vulnerability in Samsung Settings allows a local attacker with low privileges to disable configuration of background data usage for applications prior to the SMR Mar-2026 Release 1 patch. While the CVSS score of 4.8 is moderate, the vulnerability has limited impact as it only affects the integrity of data usage settings without enabling data exfiltration or system compromise. The local attack vector and requirement for user-level privileges significantly reduce real-world exploitation likelihood compared to remote or privilege-escalation vulnerabilities.
Technical ContextAI
This vulnerability exists in Samsung's Settings application, a core system component responsible for managing device configuration parameters including network and data usage policies. The root cause is classified as improper authorization, meaning the Settings application fails to properly validate or enforce access controls when processing requests to modify background data usage configurations. The vulnerability likely stems from insufficient privilege checks or capability validation before allowing changes to application-level data usage restrictions, permitting a local authenticated user to bypass intended access controls. No specific CWE was assigned in the CVE record, but this aligns with CWE-639 (Authorization Bypass Through User-Controlled Key) or CWE-862 (Missing Authorization) patterns common in mobile OS settings implementations.
RemediationAI
Apply Samsung's SMR Mar-2026 Release 1 security patch or later to affected devices immediately through standard OTA update mechanisms. Users should navigate to Settings > About device > Software update and install available security updates. Organizations managing Samsung devices should enforce automatic security updates through Mobile Device Management (MDM) platforms such as Samsung Knox Configure or third-party MDM solutions. As a temporary workaround pending patch deployment, restrict Settings application access via MDM policy where feasible, though this may degrade user experience. Samsung customers requiring additional guidance should contact Samsung Support or review the official security advisory published in Samsung's Security Advisory Center (https://security.samsungmobile.com/).
More in Samsung Mobile Devices
View allLocal privilege escalation in Samsung Galaxy Watch allows unprivileged local attackers to execute arbitrary code with sy
Incorrect privilege assignment in the Telephony component of Samsung Mobile devices prior to SMR Jun-2026 Release 1 perm
Improper handling of insufficient permissions in Routines prior to SMR May-2026 Release 1 allows local attackers to acce
Insufficient verification of data authenticity in PackageManagerService prior to SMR Mar-2026 Release 1 allows local att
Out-of-bounds write in SveService prior to SMR May-2026 Release 1 allows local privileged attackers to execute arbitrary
External control of file name in Samsung AODManager prior to April 2026 SMR Release 1 allows privileged local attackers
Incorrect default permissions in FactoryCamera prior to SMR May-2026 Release 1 allows local attacker to access unique id
Improper input validation in Samsung Mobile Retail Mode prior to SMR April 2026 Release 1 allows local attackers with li
Bluetooth maintenance mode in Samsung Mobile devices prior to April 2026 SMR Release 1 permits physical attackers to byp
Improper input validation in Samsung Mobile devices prior to SMR April 2026 Release 1 allows physical attackers to bypas
Improper authorization in Samsung's AppBlock application on Android 15 and 16 devices allows a local, low-privileged att
Improper input validation in Routines prior to SMR May-2026 Release 1 allows physical attackers to launch privileged act
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-12301