Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Local vector with low privileges per CVSS 4.0 assignment; no confidentiality impact per VC:N; high integrity and availability impact retained from VI:H and VA:H.
Primary rating from Vendor (samsung).
CVSS VectorVendor: samsung
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
Improper access control in IAFDService prior to SMR Jul-2026 Release 1 allows local privileged attackers to use the privileged APIs.
AnalysisAI
Improper access control in IAFDService on Samsung mobile devices (Android 14, 15, and 16) allows local attackers holding low-level privileges to invoke privileged system APIs that should be restricted to higher-trust callers. The flaw carries a CVSS 4.0 score of 6.9, reflecting high integrity and availability impact on the vulnerable system. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires local access to an affected Samsung device running Android 14, 15, or 16, combined with at least low-level privileges - achievable via a locally installed application or an ADB shell session. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 6.9 with AV:L and PR:L constrains the attack surface significantly: exploitation requires a foothold on the device, either through a locally installed malicious application or direct shell access. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A threat actor installs a malicious Android application on an affected Samsung device (or gains ADB shell access via physical proximity or prior malware). The malicious app calls IAFDService's privileged API endpoints directly, bypassing the missing authorization check, and invokes system-level functionality to tamper with device integrity or trigger a denial-of-service condition. … |
| Remediation | Apply Samsung's SMR Jul-2026 Release 1 security update, which resolves CVE-2026-21040 across Android 14, 15, and 16 on affected Samsung devices. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42811
GHSA-5xcv-2pqj-94j5