Skip to main content

Samsung Mobile Devices CVE-2026-21010

| EUVDEUVD-2026-21864 MEDIUM
2026-04-13 SamsungMobile
6.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.6 MEDIUM
AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Physical
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Apr 13, 2026 - 06:29 vuln.today
EUVD ID Assigned
Apr 13, 2026 - 06:15 euvd
EUVD-2026-21864
Analysis Generated
Apr 13, 2026 - 06:15 vuln.today
CVE Published
Apr 13, 2026 - 05:10 nvd
MEDIUM 6.6

DescriptionCVE.org

Improper input validation in Retail Mode prior to SMR Apr-2026 Release 1 allows local attackers to trigger privileged functions.

AnalysisAI

Improper input validation in Samsung Mobile Retail Mode prior to SMR April 2026 Release 1 allows local attackers with limited privileges to trigger privileged functions, potentially leading to information disclosure and unauthorized modification of device state. The vulnerability requires physical or local access and low-privilege credentials, limiting immediate remote exploitation risk but posing significant concern for retail environments where devices are physically accessible to untrusted parties.

Technical ContextAI

The vulnerability resides in Samsung Mobile's Retail Mode functionality, a special operational state designed for in-store demonstrations and testing. Retail Mode typically operates with elevated privileges to facilitate rapid device configuration and feature showcasing. The improper input validation flaw permits bypass of privilege boundary checks, allowing a local attacker with limited user privileges (PR:L) to invoke functions normally restricted to system or administrative accounts. The root cause is classified under input validation deficiencies, suggesting the Retail Mode subsystem fails to adequately sanitize or validate user-supplied input before processing commands that should require higher privilege levels. The affected CPE encompasses Samsung Mobile devices across all versions prior to the April 2026 Security Maintenance Release (SMR) batch 1.

RemediationAI

Vendor-released patch: Samsung Mobile SMR April 2026 Release 1 and later. Affected users must update their Samsung Mobile devices to the April 2026 SMR patch or a more recent security release. No workarounds are available for this privilege escalation vulnerability; patching is the only remediation path. Users should check Samsung Mobile's security update portal at https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=04 for device-specific patch availability and installation instructions. Organizations managing retail or demo devices should prioritize patching to prevent unauthorized access to sensitive device configuration and data.

CVE-2026-21019 HIGH
8.6 May 13

Local privilege escalation in Samsung Galaxy Watch allows unprivileged local attackers to execute arbitrary code with sy

CVE-2026-21025 MEDIUM
6.9 Jun 05

Incorrect privilege assignment in the Telephony component of Samsung Mobile devices prior to SMR Jun-2026 Release 1 perm

CVE-2026-21022 MEDIUM
6.9 May 13

Improper handling of insufficient permissions in Routines prior to SMR May-2026 Release 1 allows local attackers to acce

CVE-2026-21023 MEDIUM
6.9 Apr 29

Insufficient verification of data authenticity in PackageManagerService prior to SMR Mar-2026 Release 1 allows local att

CVE-2026-21018 MEDIUM
6.8 May 13

Out-of-bounds write in SveService prior to SMR May-2026 Release 1 allows local privileged attackers to execute arbitrary

CVE-2026-21012 MEDIUM
6.8 Apr 13

External control of file name in Samsung AODManager prior to April 2026 SMR Release 1 allows privileged local attackers

CVE-2026-21015 MEDIUM
6.8 May 13

Incorrect default permissions in FactoryCamera prior to SMR May-2026 Release 1 allows local attacker to access unique id

CVE-2026-21011 MEDIUM
5.4 Apr 13

Bluetooth maintenance mode in Samsung Mobile devices prior to April 2026 SMR Release 1 permits physical attackers to byp

CVE-2026-21003 MEDIUM
5.2 Apr 13

Improper input validation in Samsung Mobile devices prior to SMR April 2026 Release 1 allows physical attackers to bypas

CVE-2026-21031 MEDIUM
5.2 Jun 05

Improper authorization in Samsung's AppBlock application on Android 15 and 16 devices allows a local, low-privileged att

CVE-2026-21021 MEDIUM
5.1 May 13

Improper input validation in Routines prior to SMR May-2026 Release 1 allows physical attackers to launch privileged act

CVE-2026-21008 MEDIUM
5.1 Apr 13

Samsung Mobile S Share application prior to the April 2026 SMR Release 1 exposes sensitive information to adjacent netwo

Share

CVE-2026-21010 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy