Skip to main content

Samsung Plus TV CVE-2026-21035

| EUVDEUVD-2026-34807 MEDIUM
2026-06-05 SamsungMobile GHSA-9hqx-pxcx-hj4w
6.5
CVSS 4.0 · Vendor: SamsungMobile
Share

Severity by source

Vendor (SamsungMobile) PRIMARY
6.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (SamsungMobile) · only source for this CVE.

CVSS VectorVendor: SamsungMobile

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

3
Analysis Generated
Jun 05, 2026 - 13:38 vuln.today
CVSS changed
Jun 05, 2026 - 11:22 NVD
6.5 (MEDIUM)
CVE Published
Jun 05, 2026 - 10:15 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Improper input validation in Samsung Plus TV prior to version 1.0.28.6 allows remote attackers to access sensitive information.

AnalysisAI

Improper input validation in Samsung Plus TV prior to version 1.0.28.6 exposes sensitive information to unauthenticated remote attackers, requiring only passive user interaction. The CVSS 4.0 vector reveals a notable scope discrepancy: while the vulnerable component itself suffers only low confidentiality impact (VC:L), the subsequent system scope carries high confidentiality, integrity, and availability ratings (SC:H/SI:H/SA:H), suggesting that exploiting the Samsung Plus TV app can cascade into broader system-level compromise on the affected device. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.

Technical ContextAI

Samsung Plus TV is a smart TV application platform developed by Samsung Mobile (CPE: cpe:2.3:a:samsung_mobile:samsung_plus_tv:*:*:*:*:*:*:*:*). The root cause is improper input validation (no specific CWE was assigned, but the pattern aligns with CWE-20: Improper Input Validation), where the application fails to adequately sanitize or verify externally supplied input over a network channel. The CVSS 4.0 framework's separation of vulnerable component (VC/VI/VA) versus subsequent system (SC/SI/SA) impacts indicates the flaw likely allows the attacker to leverage Samsung Plus TV as a pivot point - the insufficiently validated input triggers behavior that reaches beyond the app's own process boundary into the underlying TV operating system or shared platform services.

RemediationAI

Update Samsung Plus TV to version 1.0.28.6 or later, as confirmed by Samsung Mobile's June 2026 security bulletin at https://security.samsungmobile.com/serviceWeb.smsb?year=2026&month=06 and the EUVD-2026-34807 advisory. On supported Samsung smart TV platforms, this update may be available through the TV's built-in app store or system software update mechanism - users should navigate to Settings and check for application and firmware updates. As a compensating control where immediate patching is not possible, restricting the Samsung Plus TV device's network access to trusted VLANs or disabling the application until the update is applied would reduce exposure, though this trades off against the intended streaming functionality. No vendor-documented workarounds are available in the referenced advisories beyond applying the patch.

Share

CVE-2026-21035 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy