Skip to main content

SamsungSEAgentService CVE-2026-21041

| EUVDEUVD-2026-42812 MEDIUM
2026-07-10 mobile.security@samsung.com GHSA-w6vq-38rc-cfg4
6.9
CVSS 4.0 · Vendor: samsung
Share

Severity by source

Vendor (samsung) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.2 MEDIUM

Local attack vector with no privilege or user-interaction requirement per CVSS 4.0 source; confidentiality impact only, no integrity or availability loss confirmed.

3.1 AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (samsung).

CVSS VectorVendor: samsung

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jul 10, 2026 - 06:09 vuln.today

DescriptionCVE.org

Improper access control in SamsungSEAgentService prior to SMR Jul-2026 Release 1 allows local attackers to access sensitive information.

AnalysisAI

Improper access control in SamsungSEAgentService on Samsung Android 15 and 16 devices allows a local attacker to read sensitive information without requiring elevated privileges. The CVSS 4.0 vector (AV:L/PR:N/VC:H) confirms that any local process on the device can trigger the flaw with high confidentiality impact and no integrity or availability loss. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Install malicious app on target Samsung device
Delivery
Invoke SamsungSEAgentService via local IPC
Exploit
Bypass missing access control check
Execution
Receive sensitive information in response
Impact
Exfiltrate data off-device

Vulnerability AssessmentAI

Exploitation Exploitation requires local code execution on the target Samsung device running Android 15 or 16 prior to SMR Jul-2026 Release 1 - meaning an attacker must have an installed application running in the device's user space. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 6.9 reflects a medium-severity finding with a local attack surface, which meaningfully constrains real-world exploitability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker distributes a malicious Android application - either through sideloading or a compromised app store listing - that, once installed and run on a vulnerable Samsung Android 15 or 16 device, invokes SamsungSEAgentService directly without requiring any special system permissions. The service responds to the unauthorized request by returning sensitive information, which the malicious app can then exfiltrate. …
Remediation Apply Samsung's SMR Jul-2026 Release 1 security update, which addresses this access control flaw in SamsungSEAgentService. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-21041 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy