Skip to main content

Samsung Mobile Devices EUVDEUVD-2026-12293

| CVE-2026-20988 MEDIUM
2026-03-16 SamsungMobile
5.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.0 MEDIUM
AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 16, 2026 - 05:00 euvd
EUVD-2026-12293
Analysis Generated
Mar 16, 2026 - 05:00 vuln.today
CVE Published
Mar 16, 2026 - 04:31 nvd
MEDIUM 5.0

DescriptionCVE.org

Improper verification of intent by broadcast receiver in Settings prior to SMR Mar-2026 Release 1 allows local attacker to launch arbitrary activity with Settings privilege. User interaction is required for triggering this vulnerability.

AnalysisAI

A broadcast receiver in Android Settings fails to properly verify intents prior to the March 2026 Security Maintenance Release 1, allowing a local attacker with limited privileges to launch arbitrary activities with Settings-level permissions. The vulnerability requires user interaction to trigger and carries a CVSS 4.0 score of 6.8, reflecting high confidentiality and integrity impact. No public exploit or KEV designation is currently documented, but the local attack vector and privilege escalation potential warrant prompt patching.

Technical ContextAI

This vulnerability affects Android's Settings application broadcast receiver mechanism, which is responsible for handling inter-process communication (IPC) via Intent broadcasts. The root cause is improper verification of incoming intents before processing, classified under CWE categories related to insufficient input validation and improper access control on IPC mechanisms. Broadcast receivers are a standard Android IPC component that listen for system-wide or application-specific broadcasts; without strict intent verification (typically via permission checks, action whitelisting, or signature validation), a malicious local application can craft a spoofed broadcast to trigger unintended Settings functionality. The Settings application runs with system privileges, making it a high-value target for privilege escalation attacks. The vulnerability manifests in Android versions prior to the March 2026 SMR Release 1 patch level, affecting multiple Android device manufacturers and models that have not yet applied this security update.

RemediationAI

Apply the March 2026 Security Maintenance Release 1 patch or later to your Android device as soon as available from your device manufacturer or carrier. Users of Nexus/Pixel devices should check for over-the-air (OTA) updates through Settings > About Phone > System Update, or manually download factory images from https://developers.google.com/android/images. Third-party device manufacturers should obtain and deploy the updated Settings package from their OEM or Google's Android release channels. Until patching is feasible, restrict installation of untrusted applications from outside the Google Play Store, enforce managed device policies via MDM solutions to disable sideloading, and monitor device activity logs for suspicious Settings-related IPC attempts. For enterprise deployments, consider requiring device administrator privileges to be granted only after thorough vetting and mandate regular security update compliance via conditional access policies.

CVE-2026-21019 HIGH
8.6 May 13

Local privilege escalation in Samsung Galaxy Watch allows unprivileged local attackers to execute arbitrary code with sy

CVE-2026-21025 MEDIUM
6.9 Jun 05

Incorrect privilege assignment in the Telephony component of Samsung Mobile devices prior to SMR Jun-2026 Release 1 perm

CVE-2026-21022 MEDIUM
6.9 May 13

Improper handling of insufficient permissions in Routines prior to SMR May-2026 Release 1 allows local attackers to acce

CVE-2026-21023 MEDIUM
6.9 Apr 29

Insufficient verification of data authenticity in PackageManagerService prior to SMR Mar-2026 Release 1 allows local att

CVE-2026-21018 MEDIUM
6.8 May 13

Out-of-bounds write in SveService prior to SMR May-2026 Release 1 allows local privileged attackers to execute arbitrary

CVE-2026-21012 MEDIUM
6.8 Apr 13

External control of file name in Samsung AODManager prior to April 2026 SMR Release 1 allows privileged local attackers

CVE-2026-21015 MEDIUM
6.8 May 13

Incorrect default permissions in FactoryCamera prior to SMR May-2026 Release 1 allows local attacker to access unique id

CVE-2026-21010 MEDIUM
6.6 Apr 13

Improper input validation in Samsung Mobile Retail Mode prior to SMR April 2026 Release 1 allows local attackers with li

CVE-2026-21011 MEDIUM
5.4 Apr 13

Bluetooth maintenance mode in Samsung Mobile devices prior to April 2026 SMR Release 1 permits physical attackers to byp

CVE-2026-21003 MEDIUM
5.2 Apr 13

Improper input validation in Samsung Mobile devices prior to SMR April 2026 Release 1 allows physical attackers to bypas

CVE-2026-21031 MEDIUM
5.2 Jun 05

Improper authorization in Samsung's AppBlock application on Android 15 and 16 devices allows a local, low-privileged att

CVE-2026-21021 MEDIUM
5.1 May 13

Improper input validation in Routines prior to SMR May-2026 Release 1 allows physical attackers to launch privileged act

Share

EUVD-2026-12293 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy