Skip to main content

SpriteWallpaper EUVDEUVD-2026-34798

| CVE-2026-21026 MEDIUM
2026-06-05 SamsungMobile GHSA-j4gh-32gr-3363
6.4
CVSS 4.0 · NVD
Share

Severity by source

Vendor (SamsungMobile) PRIMARY
MEDIUM
qualitative
NVD
6.4 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (SamsungMobile).

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Analysis Generated
Jun 05, 2026 - 13:34 vuln.today
CVSS changed
Jun 05, 2026 - 11:22 NVD
6.4 (MEDIUM)
CVE Published
Jun 05, 2026 - 10:15 nvd
MEDIUM 6.4
CVE Published
Jun 05, 2026 - 10:15 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Improper export of android application components in SpriteWallpaper prior to SMR Jun-2026 Release 1 allows local attackers to access to sensitive information.

AnalysisAI

Improper export of Android application components in Samsung's SpriteWallpaper app enables local attackers without privileges to access sensitive information and achieve disproportionately high impact on subsequent system components. Devices running Android 16 prior to the SMR Jun-2026 Release 1 security update are affected. No public exploit has been identified at time of analysis, but the zero-privilege local requirement and high subsequent system impact (SC:H/SI:H/SA:H) elevate practical risk on shared or managed Android devices.

Technical ContextAI

Android applications declare their components - Activities, Services, Broadcast Receivers, and Content Providers - in the AndroidManifest.xml file. When a component is exported without proper permission enforcement (android:exported=true with no android:permission attribute or insufficient intent filter restrictions), any co-resident app or local attacker can invoke that component directly. This class of weakness is closely aligned with CWE-926 (Improper Export of Android Application Components), though Samsung's advisory lists CWE as N/A. The affected product is identified via CPE cpe:2.3:a:samsung_mobile:samsung_mobile_devices on Android 16 platforms. The CVSS 4.0 vector shows AV:L/AC:L/AT:N/PR:N/UI:N, meaning no elevated privilege or user interaction is needed for exploitation. Notably, the subsequent system impact metrics are all rated High (SC:H/SI:H/SA:H), indicating that the exported component can serve as a pivot point affecting broader system confidentiality, integrity, and availability beyond the app itself - consistent with a Content Provider or Service that bridges sensitive data across app boundaries.

RemediationAI

Apply the Samsung Mobile Security Update: SMR Jun-2026 Release 1 for Android 16, which is the vendor-confirmed fix for this vulnerability per EUVD-2026-34798. Users should navigate to Settings > Software Update > Download and Install to apply the monthly security patch. The advisory is published at https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=06. As a compensating control prior to patching, enterprise administrators managing Samsung devices via MDM can restrict the installation of untrusted or sideloaded applications, which limits the pool of potential local attackers able to invoke the exported component. Disabling or restricting ADB access on managed devices also reduces the local attack surface. Note that these workarounds reduce but do not eliminate risk, as co-installed apps from app stores may still be able to interact with exported components.

Share

EUVD-2026-34798 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy