Skip to main content

Samsung Members CVE-2026-21037

| EUVDEUVD-2026-34809 MEDIUM
2026-06-05 SamsungMobile GHSA-cwv2-jv9g-p6gp
6.9
CVSS 4.0 · Vendor: SamsungMobile
Share

Severity by source

Vendor (SamsungMobile) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (SamsungMobile) · only source for this CVE.

CVSS VectorVendor: SamsungMobile

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Jun 05, 2026 - 13:32 vuln.today
CVSS changed
Jun 05, 2026 - 11:22 NVD
6.9 (MEDIUM)
CVE Published
Jun 05, 2026 - 10:15 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Improper input validation in Samsung Members prior to version 5.8.01.5 allows local attackers to access arbitrary URL and launch arbitrary activity with Samsung Members privilege.

AnalysisAI

Improper input validation in Samsung Members prior to version 5.8.01.5 allows local authenticated attackers to access arbitrary URLs and launch arbitrary Android activities using Samsung Members' application privileges. The CVSS 4.0 vector (AV:L/AC:L/AT:N/PR:L/UI:N) confirms local access with low privileges and no additional preconditions, with the score of 6.9 reflecting a high availability impact on the vulnerable component alongside low integrity impact. No public exploit identified at time of analysis and this vulnerability is not listed in CISA KEV, but the ability to hijack privileged activity launches on Samsung devices makes it a meaningful local privilege-chaining vector.

Technical ContextAI

Samsung Members (CPE: cpe:2.3:a:samsung_mobile:samsung_members:*:*:*:*:*:*:*:*) is a pre-installed Samsung Mobile application providing community, diagnostics, and customer support features on Samsung Android devices. The vulnerability involves improper input validation - no CWE is formally assigned, but this class of flaw on Android typically manifests as insufficient sanitization of data passed to Intent-dispatching or WebView/URL-loading components. This allows an attacker to supply crafted input that causes the application to resolve and launch arbitrary Android activities or load arbitrary URLs within the context of Samsung Members' declared permissions, which may include elevated or platform-signed privileges. This is consistent with Android deep-link hijacking or implicit intent redirection patterns prevalent in vendor-bundled applications.

RemediationAI

Update Samsung Members to version 5.8.01.5 or later, which is the vendor-released patch confirmed by Samsung Mobile's June 2026 security advisory (https://security.samsungmobile.com/serviceWeb.smsb?year=2026&month=06) and EUVD-2026-34809. The update can be applied through the Galaxy Store or via Samsung's built-in app update mechanism on affected devices. As a compensating control where immediate patching is not feasible, restricting installation of untrusted third-party applications via MDM or device policy reduces the likelihood of a malicious app delivering the crafted input required for exploitation - note this does not eliminate physical access vectors. Disabling Samsung Members entirely is a high-impact workaround given the application provides Samsung support functionality and may affect warranty or diagnostic services.

Share

CVE-2026-21037 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy