Skip to main content

Samsung InputSharing CVE-2026-21054

| EUVDEUVD-2026-42824 MEDIUM
2026-07-10 mobile.security@samsung.com GHSA-2mvw-r55c-8x68
6.9
CVSS 4.0 · Vendor: samsung
Share

Severity by source

Vendor (samsung) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.2 MEDIUM

Local attack via co-resident app requiring no permissions (PR:N, AV:L); high confidentiality impact only, no integrity or availability effect, scope unchanged.

3.1 AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (samsung).

CVSS VectorVendor: samsung

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jul 10, 2026 - 06:16 vuln.today
CVE Published
Jul 10, 2026 - 05:16 cve.org
MEDIUM 6.9

DescriptionCVE.org

Improper export of android application components in InputSharing prior to version 2.7.01.4 allows local attackers to access sharing data.

AnalysisAI

Improper export of Android application components in Samsung's InputSharing app (prior to version 2.7.01.4) exposes internal sharing data to any co-resident application on the same device. The flaw allows a local attacker - via a malicious app installed on the same Samsung device - to silently access data transiting the InputSharing component without requiring any special Android permissions. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Induce victim to install malicious app
Delivery
App locates exported InputSharing component
Exploit
Send explicit Intent to exported component
Execution
Bypass permission check
Impact
Extract sharing data from component response

Vulnerability AssessmentAI

Exploitation The attack requires a malicious Android application to be installed on the same Samsung device running a vulnerable version of InputSharing (prior to 2.7.01.4). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 6.9 (Medium) reflects the combination of a high confidentiality impact against a local-only, no-privilege-required access path - a realistic profile for Android inter-app attacks. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A threat actor publishes a low-privilege utility app to an app marketplace targeting Samsung device users. Once installed on the victim's device, the malicious app sends an explicit Android Intent directly to InputSharing's improperly exported component, requiring no declared permissions. …
Remediation Update Samsung InputSharing to version 2.7.01.4 or later, available through the Samsung Galaxy Store or via an OTA firmware update for applicable Samsung devices. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-21054 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy