Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Local vector, no privileges required per CVSS 4.0 source; integrity-only impact since Theft Protection configuration is modified but no data is read or service disrupted.
Primary rating from Vendor (samsung).
CVSS VectorVendor: samsung
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
Improper access control in Settings prior to SMR Jul-2026 Release 1 allows local attackers to configure Theft protection settings.
AnalysisAI
Improper access control in the Samsung Settings application on Android 15 and 16 allows a local attacker to modify Theft Protection configurations without requiring device credentials or elevated privileges. The vulnerability stems from missing or bypassable authorization checks in the Settings component, enabling an attacker with local access - such as someone in possession of a stolen device - to reconfigure the very security controls designed to prevent unauthorized use. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Local physical access to the device is required (AV:L). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 6.9 (Medium-High) reflects a local-only attack vector (AV:L) with no privileges required (PR:N), no user interaction (UI:N), and high integrity impact (VI:H) with no confidentiality or availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker obtains physical possession of a Samsung Galaxy device running Android 15 or 16 - for example, a stolen or unattended device. Without knowing the device unlock PIN or password, the attacker navigates to or invokes the vulnerable Settings path and modifies Theft Protection settings, such as disabling anti-theft lock or factory reset restrictions. … |
| Remediation | Apply SMR Jul-2026 Release 1 or later, available via Samsung's over-the-air update mechanism for all affected Android 15 and 16 devices. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42810
GHSA-cq9x-745f-5vrm