Skip to main content

Samsung Mobile Devices EUVDEUVD-2026-21866

| CVE-2026-21011 MEDIUM
Incorrect Permission Assignment for Critical Resource (CWE-732)
2026-04-13 SamsungMobile
5.4
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Physical
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

5
Analysis Generated
Apr 13, 2026 - 06:29 vuln.today
CVSS changed
Apr 13, 2026 - 06:22 NVD
5.4 (MEDIUM)
EUVD ID Assigned
Apr 13, 2026 - 06:15 euvd
EUVD-2026-21866
Analysis Generated
Apr 13, 2026 - 06:15 vuln.today
CVE Published
Apr 13, 2026 - 05:04 nvd
MEDIUM 5.4

DescriptionCVE.org

Incorrect privilege assignment in Bluetooth in Maintenance mode prior to SMR Apr-2026 Release 1 allows physical attackers to bypass Extend Unlock.

AnalysisAI

Bluetooth maintenance mode in Samsung Mobile devices prior to April 2026 SMR Release 1 permits physical attackers to bypass Extend Unlock authentication due to incorrect privilege assignment, enabling unauthorized device access without requiring prior authentication. The vulnerability requires physical proximity and user interaction but grants full confidentiality and integrity compromise of the device. No public exploit code has been identified at the time of analysis.

Technical ContextAI

The vulnerability resides in Samsung Mobile's Bluetooth stack implementation within maintenance mode functionality. Maintenance mode is a privileged operational state typically used for device diagnostics and service operations. The flaw involves improper privilege elevation or permission checks in the Bluetooth subsystem that fails to enforce proper authentication boundaries when processing Extend Unlock commands. This allows an attacker with physical access to the device and ability to trigger user interaction to assume elevated privileges normally reserved for authenticated users or administrators. The Bluetooth protocol layer does not properly validate privilege contexts before granting access to security-critical unlock mechanisms.

RemediationAI

Patch to Samsung Mobile devices updated with April 2026 SMR Release 1 or later. Users should visit https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=04 to identify their specific device model and download the latest firmware update. Pending patch application, restrict physical device access to trusted individuals, avoid entering maintenance mode on devices in untrusted environments, and ensure Bluetooth is disabled when the device is not in active use. For enterprise deployments, enforce strict physical security controls over devices and consider device management policies that restrict maintenance mode access or disable Bluetooth functionality in high-risk contexts.

CVE-2026-21019 HIGH
8.6 May 13

Local privilege escalation in Samsung Galaxy Watch allows unprivileged local attackers to execute arbitrary code with sy

CVE-2026-21025 MEDIUM
6.9 Jun 05

Incorrect privilege assignment in the Telephony component of Samsung Mobile devices prior to SMR Jun-2026 Release 1 perm

CVE-2026-21022 MEDIUM
6.9 May 13

Improper handling of insufficient permissions in Routines prior to SMR May-2026 Release 1 allows local attackers to acce

CVE-2026-21023 MEDIUM
6.9 Apr 29

Insufficient verification of data authenticity in PackageManagerService prior to SMR Mar-2026 Release 1 allows local att

CVE-2026-21018 MEDIUM
6.8 May 13

Out-of-bounds write in SveService prior to SMR May-2026 Release 1 allows local privileged attackers to execute arbitrary

CVE-2026-21012 MEDIUM
6.8 Apr 13

External control of file name in Samsung AODManager prior to April 2026 SMR Release 1 allows privileged local attackers

CVE-2026-21015 MEDIUM
6.8 May 13

Incorrect default permissions in FactoryCamera prior to SMR May-2026 Release 1 allows local attacker to access unique id

CVE-2026-21010 MEDIUM
6.6 Apr 13

Improper input validation in Samsung Mobile Retail Mode prior to SMR April 2026 Release 1 allows local attackers with li

CVE-2026-21003 MEDIUM
5.2 Apr 13

Improper input validation in Samsung Mobile devices prior to SMR April 2026 Release 1 allows physical attackers to bypas

CVE-2026-21031 MEDIUM
5.2 Jun 05

Improper authorization in Samsung's AppBlock application on Android 15 and 16 devices allows a local, low-privileged att

CVE-2026-21021 MEDIUM
5.1 May 13

Improper input validation in Routines prior to SMR May-2026 Release 1 allows physical attackers to launch privileged act

CVE-2026-21008 MEDIUM
5.1 Apr 13

Samsung Mobile S Share application prior to the April 2026 SMR Release 1 exposes sensitive information to adjacent netwo

Share

EUVD-2026-21866 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy