Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (SamsungMobile).
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Improper export of android application components in ImsSettings prior to SMR Jun-2026 Release 1 allows local attackers to trigger logging function.
AnalysisAI
ImsSettings on Samsung Mobile Devices (Android 14, 15, 16) exposes an improperly exported Android application component, enabling locally authenticated low-privilege attackers to invoke the component and trigger its logging function, resulting in limited information disclosure. The vulnerability is patched in Samsung's SMR Jun-2026 Release 1 and is reported exclusively by Samsung Mobile. No public exploit code and no CISA KEV listing have been identified at time of analysis, and the CVSS 4.0 score of 4.8 (Medium) reflects the narrow, local-only impact.
Technical ContextAI
ImsSettings is a Samsung Android system application managing IP Multimedia Subsystem (IMS) configuration - the protocol stack underpinning VoLTE, VoWiFi, and RCS services. The root cause is an Android application component (Activity, Service, BroadcastReceiver, or ContentProvider) that is exported without adequate permission guards, meaning its android:exported attribute is set to true (or implicitly exported via an intent-filter) without a restricting android:permission declaration. This allows any co-resident app to send an Intent to invoke the component. While the CWE field is listed as N/A, this vulnerability class aligns conceptually with CWE-926 (Improper Export of Android Application Components). The CVSS 4.0 vector AV:L/AC:L/AT:N/PR:L/UI:N confirms exploitation is local, low complexity, requires no additional attack conditions, and needs only low-privilege app execution - consistent with a standard sideloaded or installed third-party application on an Android device. Affected product identified via CPE: cpe:2.3:a:samsung_mobile:samsung_mobile_devices:*:*:*:*:*:*:*:*.
RemediationAI
Apply Samsung's SMR Jun-2026 Release 1 security update, which resolves the improper component export in ImsSettings across Android 14, 15, and 16. This is a vendor-released patch confirmed by Samsung Mobile via the advisory at https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=06. For enterprise environments where immediate patching is not feasible, compensating controls include enforcing MDM policies that restrict installation of untrusted or unapproved third-party applications - this reduces the likelihood of a malicious app being present to invoke the exposed component, though it does not eliminate the underlying vulnerability. Note that this workaround introduces application management overhead and does not address scenarios where legitimate but compromised apps are already installed.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34799
GHSA-68m3-82mw-x7j5