Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (SamsungMobile).
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Incorrect privilege assignment in Telephony prior to SMR Jun-2026 Release 1 allows local attackers to access sensitive information.
AnalysisAI
Incorrect privilege assignment in the Telephony component of Samsung Mobile devices prior to SMR Jun-2026 Release 1 permits local attackers to access sensitive information without requiring prior privileges or user interaction. Affecting devices running Android 14, 15, and 16, the flaw stems from improper access controls within the telephony subsystem. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog, but the low attack complexity and absence of privilege prerequisites lower the bar for local exploitation.
Technical ContextAI
The vulnerability resides in the Telephony subsystem of Samsung's Android-based mobile software stack, identified via CPE cpe:2.3:a:samsung_mobile:samsung_mobile_devices:*:*:*:*:*:*:*:*. The root cause is incorrect privilege assignment - a class of access control flaw where a process or component is granted more permissions than its function warrants, potentially allowing lower-trust callers to read privileged telephony data (e.g., call records, SIM identifiers, subscriber data, or network state). While CWE classification is listed as N/A by the reporter, this pattern closely aligns with CWE-266 (Incorrect Privilege Assignment) or CWE-732 (Incorrect Permission Assignment for Critical Resource). The issue is fixed in Samsung's monthly Security Maintenance Release (SMR) cycle, specifically the June 2026 release targeting Android 14, 15, and 16 firmware branches.
RemediationAI
The vendor-released patch is SMR Jun-2026 Release 1, delivered via Samsung's monthly Security Maintenance Release for devices on Android 14, 15, and 16. Users and administrators should apply the June 2026 OTA update immediately through Settings > Software Update. The full advisory is published at https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=06. If the update cannot be applied immediately, enterprise administrators using Samsung Knox or MDM solutions can restrict third-party application access to Telephony APIs as a compensating control, though this may impact legitimate telephony-dependent applications. Disabling untrusted sideloaded applications reduces the local attacker surface until the patch is deployed.
More in Samsung Mobile Devices
View allLocal privilege escalation in Samsung Galaxy Watch allows unprivileged local attackers to execute arbitrary code with sy
Improper handling of insufficient permissions in Routines prior to SMR May-2026 Release 1 allows local attackers to acce
Insufficient verification of data authenticity in PackageManagerService prior to SMR Mar-2026 Release 1 allows local att
Out-of-bounds write in SveService prior to SMR May-2026 Release 1 allows local privileged attackers to execute arbitrary
External control of file name in Samsung AODManager prior to April 2026 SMR Release 1 allows privileged local attackers
Incorrect default permissions in FactoryCamera prior to SMR May-2026 Release 1 allows local attacker to access unique id
Improper input validation in Samsung Mobile Retail Mode prior to SMR April 2026 Release 1 allows local attackers with li
Bluetooth maintenance mode in Samsung Mobile devices prior to April 2026 SMR Release 1 permits physical attackers to byp
Improper input validation in Samsung Mobile devices prior to SMR April 2026 Release 1 allows physical attackers to bypas
Improper authorization in Samsung's AppBlock application on Android 15 and 16 devices allows a local, low-privileged att
Improper input validation in Routines prior to SMR May-2026 Release 1 allows physical attackers to launch privileged act
Samsung Mobile S Share application prior to the April 2026 SMR Release 1 exposes sensitive information to adjacent netwo
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34797
GHSA-gfvv-v3hr-22c6