Skip to main content

Bixby CVE-2026-21055

| EUVDEUVD-2026-42825 HIGH
2026-07-10 mobile.security@samsung.com GHSA-876v-2rgp-9xrr
8.5
CVSS 4.0 · Vendor: samsung
Share

Severity by source

Vendor (samsung) PRIMARY
8.5 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.7 HIGH

Local IPC abuse by a co-located app needs no privileges or user interaction (AV:L/PR:N/UI:N), yielding high confidentiality and integrity impact but no availability loss.

3.1 AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
4.0 AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (samsung).

CVSS VectorVendor: samsung

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jul 10, 2026 - 05:48 vuln.today
CVE Published
Jul 10, 2026 - 05:16 cve.org
HIGH 8.5

DescriptionCVE.org

Improper export of android application components in Bixby prior to version 4.0.70.8 allows local attackers to execute arbitrary commands with Bixby privilege.

AnalysisAI

Local privilege escalation to arbitrary command execution in Samsung Bixby (versions prior to 4.0.70.8) allows a malicious co-located Android app to invoke improperly exported application components and run commands with Bixby's elevated privilege level. Reported by Samsung Mobile Security and rated CVSS 4.0 base 8.5; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Install malicious app on device
Delivery
Craft Intent to exported Bixby component
Exploit
Invoke unprotected component IPC
Execution
Execute commands with Bixby privilege
Impact
Access or tamper with protected data

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to already have an application installed and running on the same Samsung device as the vulnerable Bixby (versions before 4.0.70.8); the vector is local (AV:L), so no network access is involved. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 base score is 8.5 (High). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A user installs a seemingly benign app (e.g., a game or utility) that requests no sensitive permissions. In the background the app sends a crafted Intent to one of Bixby's improperly exported components, causing Bixby to execute attacker-supplied commands under its own elevated privilege and exfiltrate or tamper with data (VC:H/VI:H). …
Remediation Vendor-released patch: Bixby 4.0.70.8 - update Bixby to version 4.0.70.8 or later through the Galaxy Store / Samsung app update mechanism, and apply the corresponding Samsung security maintenance release for July 2026 as described at https://security.samsungmobile.com/serviceWeb.smsb?year=2026&month=07. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Samsung devices running Bixby versions prior to 4.0.70.8 and communicate the risk to device owners. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-21055 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy