Severity by source
CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
Improper check for exceptional conditions in Recents prior to SMR Apr-2026 Release 1 allows physical attacker to bypass App Pinning.
AnalysisAI
Samsung Mobile's Recents application prior to SMR Apr-2026 Release 1 fails to properly validate exceptional conditions, allowing a physical attacker to bypass App Pinning security controls. The vulnerability requires physical device access and has a CVSS score of 4.1 reflecting the physical attack vector and confidentiality impact; no public exploit code or confirmed active exploitation has been identified.
Technical ContextAI
The vulnerability exists in Samsung Mobile's Recents application, a system component responsible for managing and displaying recently used applications. The flaw involves improper exception handling or validation logic that fails to enforce App Pinning restrictions-a Samsung security feature that prevents users from accessing pinned applications without authentication. The affected CPE spans Samsung Mobile devices running the vulnerable Recents component prior to the April 2026 Security Maintenance Release (SMR). The root cause involves a logical flaw in conditional checks rather than memory corruption or injection, consistent with an authentication bypass classification.
RemediationAI
Apply the Samsung Mobile Security Update for April 2026 Release 1 (SMR Apr-2026 Release 1) or later to patch the Recents application and restore App Pinning enforcement. Users should install the latest available SMR release on their Samsung Mobile devices through the standard system update mechanism. For devices in managed environments, administrators should enforce deployment of the patched SMR via mobile device management (MDM) policies. Users in multi-user or shared-device scenarios should prioritize this update to prevent unauthorized access to pinned applications. Detailed patching instructions and device-specific update paths are available via Samsung's security update portal at https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=04.
More in Samsung Mobile Devices
View allLocal privilege escalation in Samsung Galaxy Watch allows unprivileged local attackers to execute arbitrary code with sy
Incorrect privilege assignment in the Telephony component of Samsung Mobile devices prior to SMR Jun-2026 Release 1 perm
Improper handling of insufficient permissions in Routines prior to SMR May-2026 Release 1 allows local attackers to acce
Insufficient verification of data authenticity in PackageManagerService prior to SMR Mar-2026 Release 1 allows local att
Out-of-bounds write in SveService prior to SMR May-2026 Release 1 allows local privileged attackers to execute arbitrary
External control of file name in Samsung AODManager prior to April 2026 SMR Release 1 allows privileged local attackers
Incorrect default permissions in FactoryCamera prior to SMR May-2026 Release 1 allows local attacker to access unique id
Improper input validation in Samsung Mobile Retail Mode prior to SMR April 2026 Release 1 allows local attackers with li
Bluetooth maintenance mode in Samsung Mobile devices prior to April 2026 SMR Release 1 permits physical attackers to byp
Improper input validation in Samsung Mobile devices prior to SMR April 2026 Release 1 allows physical attackers to bypas
Improper authorization in Samsung's AppBlock application on Android 15 and 16 devices allows a local, low-privileged att
Improper input validation in Routines prior to SMR May-2026 Release 1 allows physical attackers to launch privileged act
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21862
GHSA-5wcw-9q69-xf6p