Skip to main content

Samsung IAFDService CVE-2026-21040

| EUVDEUVD-2026-42811 MEDIUM
2026-07-10 mobile.security@samsung.com GHSA-5xcv-2pqj-94j5
6.9
CVSS 4.0 · Vendor: samsung
Share

Severity by source

Vendor (samsung) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.1 HIGH

Local vector with low privileges per CVSS 4.0 assignment; no confidentiality impact per VC:N; high integrity and availability impact retained from VI:H and VA:H.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (samsung).

CVSS VectorVendor: samsung

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jul 10, 2026 - 06:09 vuln.today

DescriptionCVE.org

Improper access control in IAFDService prior to SMR Jul-2026 Release 1 allows local privileged attackers to use the privileged APIs.

AnalysisAI

Improper access control in IAFDService on Samsung mobile devices (Android 14, 15, and 16) allows local attackers holding low-level privileges to invoke privileged system APIs that should be restricted to higher-trust callers. The flaw carries a CVSS 4.0 score of 6.9, reflecting high integrity and availability impact on the vulnerable system. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain local device access or install malicious app
Exploit
Call IAFDService privileged API without authorization
Execution
Bypass missing access control check
Impact
Corrupt device integrity or disrupt availability

Vulnerability AssessmentAI

Exploitation Exploitation requires local access to an affected Samsung device running Android 14, 15, or 16, combined with at least low-level privileges - achievable via a locally installed application or an ADB shell session. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 6.9 with AV:L and PR:L constrains the attack surface significantly: exploitation requires a foothold on the device, either through a locally installed malicious application or direct shell access. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A threat actor installs a malicious Android application on an affected Samsung device (or gains ADB shell access via physical proximity or prior malware). The malicious app calls IAFDService's privileged API endpoints directly, bypassing the missing authorization check, and invokes system-level functionality to tamper with device integrity or trigger a denial-of-service condition. …
Remediation Apply Samsung's SMR Jul-2026 Release 1 security update, which resolves CVE-2026-21040 across Android 14, 15, and 16 on affected Samsung devices. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-21040 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy