Skip to main content

Galaxy Watch CVE-2026-21019

| EUVDEUVD-2026-29905 HIGH
2026-05-13 SamsungMobile GHSA-mwvv-x94p-96gq
8.6
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.6 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Analysis Generated
May 13, 2026 - 15:57 vuln.today
CVSS changed
May 13, 2026 - 15:52 NVD
8.9 (HIGH) 8.6 (HIGH)
CVE Published
May 13, 2026 - 04:56 nvd
UNKNOWN (no severity yet)
CVE Published
May 13, 2026 - 04:56 nvd
HIGH 8.6

DescriptionCVE.org

Improper input validation in FacAtFunction in Galaxy Watch prior to SMR May-2026 Release 1 allows local attacker to execute arbitrary code with system privilege.

AnalysisAI

Local privilege escalation in Samsung Galaxy Watch allows unprivileged local attackers to execute arbitrary code with system-level privileges by exploiting improper input validation in the FacAtFunction component. Affects Galaxy Watch devices running Android Watch 14 and 16 prior to Samsung's May 2026 security release (SMR May-2026 Release 1). EPSS score of 0.03% indicates low automated exploitation probability, and no active exploitation or public POC has been identified at time of analysis. Attack requires physical or ADB access to the device.

Technical ContextAI

The vulnerability resides in FacAtFunction, a Samsung-specific component in the Galaxy Watch firmware that appears to handle AT command processing or factory testing functions. The flaw stems from improper input validation - a class of vulnerabilities where user-supplied data is not sufficiently sanitized before being processed by privileged system functions. The CVSS 4.0 vector (AV:L/AC:L/PR:N) indicates local access with low attack complexity and no privileges required, suggesting the vulnerable function is accessible to unprivileged processes or through debugging interfaces like ADB. The affected platform is Samsung's Android-based wearable OS (Wear OS variants for Android Watch 14 and 16), which runs a modified Android stack with Samsung proprietary components. CPE data identifies the vulnerability scope as Samsung Mobile Devices ecosystem, specifically the Galaxy Watch product line.

RemediationAI

Apply Samsung Mobile Security Release May 2026 Release 1 or later through the Galaxy Wearable app on paired smartphones or via direct device system update (Settings > Software update > Download and install). Samsung distributes wearable OS updates through staged rollout, so availability varies by region and carrier. Users can check current security patch level in Settings > About watch > Software information > Security software version - must show May 2026 or later. Until patched, compensating controls include: disable USB debugging in Developer options to prevent ADB-based exploitation (trade-off: limits legitimate development and troubleshooting); restrict installation of apps to Galaxy Store only via Settings > Apps > App permissions > Special access > Install unknown apps (reduces malicious app vector but blocks sideloading); enable PIN/password device lock to prevent unauthorized physical access (does not protect against exploit via malicious app but raises attack complexity). No workaround fully mitigates the vulnerability - patching is the only complete remediation.

CVE-2026-21025 MEDIUM
6.9 Jun 05

Incorrect privilege assignment in the Telephony component of Samsung Mobile devices prior to SMR Jun-2026 Release 1 perm

CVE-2026-21022 MEDIUM
6.9 May 13

Improper handling of insufficient permissions in Routines prior to SMR May-2026 Release 1 allows local attackers to acce

CVE-2026-21023 MEDIUM
6.9 Apr 29

Insufficient verification of data authenticity in PackageManagerService prior to SMR Mar-2026 Release 1 allows local att

CVE-2026-21018 MEDIUM
6.8 May 13

Out-of-bounds write in SveService prior to SMR May-2026 Release 1 allows local privileged attackers to execute arbitrary

CVE-2026-21012 MEDIUM
6.8 Apr 13

External control of file name in Samsung AODManager prior to April 2026 SMR Release 1 allows privileged local attackers

CVE-2026-21015 MEDIUM
6.8 May 13

Incorrect default permissions in FactoryCamera prior to SMR May-2026 Release 1 allows local attacker to access unique id

CVE-2026-21010 MEDIUM
6.6 Apr 13

Improper input validation in Samsung Mobile Retail Mode prior to SMR April 2026 Release 1 allows local attackers with li

CVE-2026-21011 MEDIUM
5.4 Apr 13

Bluetooth maintenance mode in Samsung Mobile devices prior to April 2026 SMR Release 1 permits physical attackers to byp

CVE-2026-21003 MEDIUM
5.2 Apr 13

Improper input validation in Samsung Mobile devices prior to SMR April 2026 Release 1 allows physical attackers to bypas

CVE-2026-21031 MEDIUM
5.2 Jun 05

Improper authorization in Samsung's AppBlock application on Android 15 and 16 devices allows a local, low-privileged att

CVE-2026-21021 MEDIUM
5.1 May 13

Improper input validation in Routines prior to SMR May-2026 Release 1 allows physical attackers to launch privileged act

CVE-2026-21008 MEDIUM
5.1 Apr 13

Samsung Mobile S Share application prior to the April 2026 SMR Release 1 exposes sensitive information to adjacent netwo

Share

CVE-2026-21019 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy