Skip to main content

Smart Switch CVE-2026-20996

| EUVDEUVD-2026-12309 HIGH
Use of a Broken or Risky Cryptographic Algorithm (CWE-327)
2026-03-16 SamsungMobile
7.1
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

3
EUVD ID Assigned
Mar 16, 2026 - 05:00 euvd
EUVD-2026-12309
Analysis Generated
Mar 16, 2026 - 05:00 vuln.today
CVE Published
Mar 16, 2026 - 04:32 nvd
HIGH 7.1

DescriptionCVE.org

Use of a broken or risky cryptographic algorithm in Smart Switch prior to version 3.7.69.15 allows remote attackers to configure a downgraded scheme for authentication.

AnalysisAI

A cryptographic downgrade vulnerability in Samsung Smart Switch allows remote attackers to force the application to use weak authentication schemes during device-to-device transfers. The vulnerability affects Smart Switch versions prior to 3.7.69.15 and requires user interaction to exploit, potentially exposing sensitive data during the transfer process between Samsung devices. With a CVSS 4.0 score of 7.1 and no current evidence of active exploitation or public proof-of-concept code, this represents a moderate risk primarily to Samsung device users performing data migrations.

Technical ContextAI

Smart Switch is Samsung's official data transfer application used to migrate content between mobile devices, particularly when users upgrade to new Samsung phones. The vulnerability stems from the use of broken or risky cryptographic algorithms that can be manipulated by attackers to downgrade the authentication scheme used during device pairing and data transfer. While no specific CWE identifier is assigned, this vulnerability class typically relates to insufficient cryptographic strength (similar to CWE-326) or improper certificate validation, allowing attackers on the same network to intercept and potentially modify the authentication handshake between devices.

RemediationAI

Update Samsung Smart Switch to version 3.7.69.15 or later immediately through the Google Play Store, Galaxy Store, or Apple App Store depending on your device platform. For environments where immediate patching is not possible, advise users to only perform Smart Switch transfers on trusted networks, avoid public WiFi during device migrations, and verify the authenticity of connection requests during the transfer process. Enterprise environments should consider blocking older Smart Switch versions through mobile device management policies until all devices can be updated to the patched version.

Share

CVE-2026-20996 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy