Skip to main content

Samsung Internet CVE-2026-21036

| EUVDEUVD-2026-34808 MEDIUM
Incorrect Authorization (CWE-863)
2026-06-05 SamsungMobile GHSA-8mjw-wh53-grh9
6.3
CVSS 4.0 · Vendor: SamsungMobile
Share

Severity by source

Vendor (SamsungMobile) PRIMARY
6.3 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (SamsungMobile) · only source for this CVE.

CVSS VectorVendor: SamsungMobile

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Jun 05, 2026 - 13:36 vuln.today
CVSS changed
Jun 05, 2026 - 11:22 NVD
6.3 (MEDIUM)
CVE Published
Jun 05, 2026 - 10:15 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Improper authorization in Samsung Internet prior to version 30.0.0.39 allows local attackers to access sensitive information.

AnalysisAI

Improper authorization in Samsung Internet (Android browser) prior to version 30.0.0.39 allows a local attacker with low-level privileges to access sensitive information stored or processed by the browser, with downstream high-severity impact on subsequent systems as reflected in the CVSS 4.0 SC:H/SI:H/SA:H scores. The vulnerability requires only local access and no user interaction, making it exploitable by any co-resident low-privileged app or user account on the device. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, and Samsung Mobile has released a patched version.

Technical ContextAI

Samsung Internet is Samsung Mobile's proprietary Android web browser, identified by CPE cpe:2.3:a:samsung_mobile:samsung_internet:*:*:*:*:*:*:*:*. The vulnerability is an improper authorization flaw - meaning the browser fails to adequately enforce access controls on sensitive data or operations accessible to co-resident processes or lower-privileged system components. No CWE was assigned by the reporter, but the root cause class is consistent with broken access control (analogous to CWE-285: Improper Authorization or CWE-862: Missing Authorization). The CVSS 4.0 vector is notable: while the confidentiality impact on the vulnerable component itself is rated Low (VC:L), the subsequent system impacts are all High (SC:H/SI:H/SA:H), indicating that the sensitive information accessible through this flaw - potentially including browsing history, saved credentials, cookies, or session tokens - can be leveraged to compromise other systems, services, or accounts beyond the browser itself.

RemediationAI

Update Samsung Internet to version 30.0.0.39 or later, which Samsung Mobile has confirmed as the patched release per the June 2026 security bulletin at https://security.samsungmobile.com/serviceWeb.smsb?year=2026&month=06. Users should apply the update via the Galaxy Store or Google Play Store immediately. As an interim compensating control on devices where patching is delayed, administrators managing enterprise Android fleets via MDM can restrict the installation of unknown or untrusted applications to reduce the risk of a malicious co-resident app exploiting this flaw; note this does not eliminate risk from physically present users. Disabling Samsung Internet and substituting an alternate browser is a viable but disruptive workaround that eliminates attack surface entirely at the cost of losing Samsung-integrated features. No side effects of the official patch have been noted by the vendor.

Share

CVE-2026-21036 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy