Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (SamsungMobile).
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
Improper export of android application components in SpriteWallpaper prior to SMR Jun-2026 Release 1 allows local attackers to access to sensitive information.
AnalysisAI
Improper export of Android application components in Samsung's SpriteWallpaper app enables local attackers without privileges to access sensitive information and achieve disproportionately high impact on subsequent system components. Devices running Android 16 prior to the SMR Jun-2026 Release 1 security update are affected. No public exploit has been identified at time of analysis, but the zero-privilege local requirement and high subsequent system impact (SC:H/SI:H/SA:H) elevate practical risk on shared or managed Android devices.
Technical ContextAI
Android applications declare their components - Activities, Services, Broadcast Receivers, and Content Providers - in the AndroidManifest.xml file. When a component is exported without proper permission enforcement (android:exported=true with no android:permission attribute or insufficient intent filter restrictions), any co-resident app or local attacker can invoke that component directly. This class of weakness is closely aligned with CWE-926 (Improper Export of Android Application Components), though Samsung's advisory lists CWE as N/A. The affected product is identified via CPE cpe:2.3:a:samsung_mobile:samsung_mobile_devices on Android 16 platforms. The CVSS 4.0 vector shows AV:L/AC:L/AT:N/PR:N/UI:N, meaning no elevated privilege or user interaction is needed for exploitation. Notably, the subsequent system impact metrics are all rated High (SC:H/SI:H/SA:H), indicating that the exported component can serve as a pivot point affecting broader system confidentiality, integrity, and availability beyond the app itself - consistent with a Content Provider or Service that bridges sensitive data across app boundaries.
RemediationAI
Apply the Samsung Mobile Security Update: SMR Jun-2026 Release 1 for Android 16, which is the vendor-confirmed fix for this vulnerability per EUVD-2026-34798. Users should navigate to Settings > Software Update > Download and Install to apply the monthly security patch. The advisory is published at https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=06. As a compensating control prior to patching, enterprise administrators managing Samsung devices via MDM can restrict the installation of untrusted or sideloaded applications, which limits the pool of potential local attackers able to invoke the exported component. Disabling or restricting ADB access on managed devices also reduces the local attack surface. Note that these workarounds reduce but do not eliminate risk, as co-installed apps from app stores may still be able to interact with exported components.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34798
GHSA-j4gh-32gr-3363