Skip to main content

Samsung Settings CVE-2026-21039

| EUVDEUVD-2026-42810 MEDIUM
2026-07-10 mobile.security@samsung.com GHSA-cq9x-745f-5vrm
6.9
CVSS 4.0 · Vendor: samsung
Share

Severity by source

Vendor (samsung) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.2 MEDIUM

Local vector, no privileges required per CVSS 4.0 source; integrity-only impact since Theft Protection configuration is modified but no data is read or service disrupted.

3.1 AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
4.0 AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (samsung).

CVSS VectorVendor: samsung

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jul 10, 2026 - 06:07 vuln.today

DescriptionCVE.org

Improper access control in Settings prior to SMR Jul-2026 Release 1 allows local attackers to configure Theft protection settings.

AnalysisAI

Improper access control in the Samsung Settings application on Android 15 and 16 allows a local attacker to modify Theft Protection configurations without requiring device credentials or elevated privileges. The vulnerability stems from missing or bypassable authorization checks in the Settings component, enabling an attacker with local access - such as someone in possession of a stolen device - to reconfigure the very security controls designed to prevent unauthorized use. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain physical device access
Delivery
Navigate to vulnerable Settings component
Exploit
Bypass access control check
Execution
Modify Theft Protection configuration
Impact
Disable or weaken anti-theft safeguards

Vulnerability AssessmentAI

Exploitation Local physical access to the device is required (AV:L). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 6.9 (Medium-High) reflects a local-only attack vector (AV:L) with no privileges required (PR:N), no user interaction (UI:N), and high integrity impact (VI:H) with no confidentiality or availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker obtains physical possession of a Samsung Galaxy device running Android 15 or 16 - for example, a stolen or unattended device. Without knowing the device unlock PIN or password, the attacker navigates to or invokes the vulnerable Settings path and modifies Theft Protection settings, such as disabling anti-theft lock or factory reset restrictions. …
Remediation Apply SMR Jul-2026 Release 1 or later, available via Samsung's over-the-air update mechanism for all affected Android 15 and 16 devices. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-21039 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy