Skip to main content

Samsung Auto CVE-2026-21034

| EUVDEUVD-2026-34806 MEDIUM
2026-06-05 SamsungMobile GHSA-959m-qc75-jv6h
4.8
CVSS 4.0 · Vendor: SamsungMobile
Share

Severity by source

Vendor (SamsungMobile) PRIMARY
4.8 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (SamsungMobile) · only source for this CVE.

CVSS VectorVendor: SamsungMobile

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Jun 05, 2026 - 13:33 vuln.today
CVSS changed
Jun 05, 2026 - 11:22 NVD
4.8 (MEDIUM)
CVE Published
Jun 05, 2026 - 10:15 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Improper export of android application components in Samsung Auto prior to version 3.1.2.61 in Android 15 and 3.2.0.38 in Android 16 allows local attacker to change audio configuration.

AnalysisAI

Samsung Auto for Android exposes audio configuration functionality through improperly exported application components, allowing a local attacker with low privileges to arbitrarily modify audio settings without authorization. Affected versions are Samsung Auto prior to 3.1.2.61 on Android 15 and prior to 3.2.0.38 on Android 16, as confirmed by the Samsung Mobile vendor advisory and EUVD-2026-34806. No public exploit is identified at time of analysis and this vulnerability has not been added to the CISA KEV catalog, placing it at low real-world priority despite the straightforward local attack path.

Technical ContextAI

Samsung Auto is a Samsung Mobile Android application. Android applications expose functionality through components - Activities, Services, Broadcast Receivers, and Content Providers - which can be flagged as exported in the app manifest, allowing other apps on the device to invoke them via Intents. When these components are exported without adequate permission enforcement or validation (the vulnerability class corresponding to CWE-926: Improper Export of Android Application Components, though Samsung lists the CWE as N/A), any other application or local user can interact with them directly. In this case, the audio configuration subsystem within Samsung Auto is reachable through such an improperly exported component. The CPE string cpe:2.3:a:samsung_mobile:samsung_auto confirms the affected software as Samsung Mobile's Samsung Auto application. The vulnerability is platform-scoped to Android 15 and Android 16, suggesting the export behavior may interact with Android-version-specific component resolution or permission models.

RemediationAI

The vendor-released patch is Samsung Auto version 3.1.2.61 on Android 15 and version 3.2.0.38 on Android 16, as confirmed by Samsung Mobile's June 2026 security bulletin at https://security.samsungmobile.com/serviceWeb.smsb?year=2026&month=06 and documented under EUVD-2026-34806. Users should update Samsung Auto through the Galaxy Store or the device's app update mechanism to the patched version applicable to their Android version. If immediate patching is not feasible in a managed device environment, administrators can enforce MDM policies restricting sideloaded or untrusted applications from being installed alongside Samsung Auto, which eliminates the primary attack vector since exploitation requires a co-installed malicious app. Note that overly restrictive app policies may affect legitimate app interoperability. Restricting device physical access also reduces exposure, as the attack vector is local (AV:L).

Share

CVE-2026-21034 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy