Skip to main content

Samsung Mobile Devices CVE-2026-20992

| EUVDEUVD-2026-12301 LOW
Incorrect Authorization (CWE-863)
2026-03-16 SamsungMobile
3.3
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
3.3 LOW
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 16, 2026 - 05:00 euvd
EUVD-2026-12301
Analysis Generated
Mar 16, 2026 - 05:00 vuln.today
CVE Published
Mar 16, 2026 - 04:31 nvd
LOW 3.3

DescriptionCVE.org

Improper authorization in Settings prior to SMR Mar-2026 Release 1 allows local attacker to disable configuring the background data usage of application.

AnalysisAI

An improper authorization vulnerability in Samsung Settings allows a local attacker with low privileges to disable configuration of background data usage for applications prior to the SMR Mar-2026 Release 1 patch. While the CVSS score of 4.8 is moderate, the vulnerability has limited impact as it only affects the integrity of data usage settings without enabling data exfiltration or system compromise. The local attack vector and requirement for user-level privileges significantly reduce real-world exploitation likelihood compared to remote or privilege-escalation vulnerabilities.

Technical ContextAI

This vulnerability exists in Samsung's Settings application, a core system component responsible for managing device configuration parameters including network and data usage policies. The root cause is classified as improper authorization, meaning the Settings application fails to properly validate or enforce access controls when processing requests to modify background data usage configurations. The vulnerability likely stems from insufficient privilege checks or capability validation before allowing changes to application-level data usage restrictions, permitting a local authenticated user to bypass intended access controls. No specific CWE was assigned in the CVE record, but this aligns with CWE-639 (Authorization Bypass Through User-Controlled Key) or CWE-862 (Missing Authorization) patterns common in mobile OS settings implementations.

RemediationAI

Apply Samsung's SMR Mar-2026 Release 1 security patch or later to affected devices immediately through standard OTA update mechanisms. Users should navigate to Settings > About device > Software update and install available security updates. Organizations managing Samsung devices should enforce automatic security updates through Mobile Device Management (MDM) platforms such as Samsung Knox Configure or third-party MDM solutions. As a temporary workaround pending patch deployment, restrict Settings application access via MDM policy where feasible, though this may degrade user experience. Samsung customers requiring additional guidance should contact Samsung Support or review the official security advisory published in Samsung's Security Advisory Center (https://security.samsungmobile.com/).

CVE-2026-21019 HIGH
8.6 May 13

Local privilege escalation in Samsung Galaxy Watch allows unprivileged local attackers to execute arbitrary code with sy

CVE-2026-21025 MEDIUM
6.9 Jun 05

Incorrect privilege assignment in the Telephony component of Samsung Mobile devices prior to SMR Jun-2026 Release 1 perm

CVE-2026-21022 MEDIUM
6.9 May 13

Improper handling of insufficient permissions in Routines prior to SMR May-2026 Release 1 allows local attackers to acce

CVE-2026-21023 MEDIUM
6.9 Apr 29

Insufficient verification of data authenticity in PackageManagerService prior to SMR Mar-2026 Release 1 allows local att

CVE-2026-21018 MEDIUM
6.8 May 13

Out-of-bounds write in SveService prior to SMR May-2026 Release 1 allows local privileged attackers to execute arbitrary

CVE-2026-21012 MEDIUM
6.8 Apr 13

External control of file name in Samsung AODManager prior to April 2026 SMR Release 1 allows privileged local attackers

CVE-2026-21015 MEDIUM
6.8 May 13

Incorrect default permissions in FactoryCamera prior to SMR May-2026 Release 1 allows local attacker to access unique id

CVE-2026-21010 MEDIUM
6.6 Apr 13

Improper input validation in Samsung Mobile Retail Mode prior to SMR April 2026 Release 1 allows local attackers with li

CVE-2026-21011 MEDIUM
5.4 Apr 13

Bluetooth maintenance mode in Samsung Mobile devices prior to April 2026 SMR Release 1 permits physical attackers to byp

CVE-2026-21003 MEDIUM
5.2 Apr 13

Improper input validation in Samsung Mobile devices prior to SMR April 2026 Release 1 allows physical attackers to bypas

CVE-2026-21031 MEDIUM
5.2 Jun 05

Improper authorization in Samsung's AppBlock application on Android 15 and 16 devices allows a local, low-privileged att

CVE-2026-21021 MEDIUM
5.1 May 13

Improper input validation in Routines prior to SMR May-2026 Release 1 allows physical attackers to launch privileged act

Share

CVE-2026-20992 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy