Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attacker needs pre-existing privileged access to reach the trustlet (PR:H) and must win a timing-dependent race (AC:H); local vector, no UI, with full C/I/A loss of the Keymaster TA.
Primary rating from Vendor (samsung).
CVSS VectorVendor: samsung
CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
Time-of-check time-of-use race condition in fabricKeymaster trustlet prior to SMR Jul-2026 Release 1 allows local privileged attackers to execute arbitrary code.
AnalysisAI
Local privilege escalation to arbitrary code execution in Samsung's fabricKeymaster trustlet affects Galaxy devices running builds prior to the SMR Jul-2026 Release 1 security patch level. A local attacker who already holds privileged (root/system-level) access on the device can exploit a time-of-check-to-time-of-use race condition to run arbitrary code within the Keymaster trusted application, undermining the hardware-backed key store. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires local, on-device privileged access (PR:H) - the attacker must already run as root or an equivalently privileged Android context able to call the fabricKeymaster/Keymaster TEE interface; it cannot be triggered remotely or by an unprivileged app. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS 4.0 vector (AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H, base 8.4) marks this as local, no user interaction, high privileges required, with high confidentiality/integrity/availability impact - a serious but not internet-exposed issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has already gained privileged code execution on a Galaxy phone - for example via a chained kernel exploit or a malicious privileged app - repeatedly invokes the Keymaster interface while a second thread mutates a shared buffer to win the TOCTOU window in fabricKeymaster. Winning the race lets them execute code inside the trusted application, allowing extraction or forgery of hardware-backed keys and defeating KeyStore-based protections. … |
| Remediation | Vendor-released patch: SMR Jul-2026 Release 1 - apply the Samsung July 2026 security update (or any later monthly SMR) via Settings > Software update on the device, or through enterprise MDM/Knox managed update channels; consult https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=07 for per-model availability. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all Galaxy devices and identify those running security patch levels prior to SMR Jul-2026 Release 1; document risk tier based on device criticality and deployed keys. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42817
GHSA-g963-gfxf-m962