Skip to main content

Samsung ImsSettings EUVDEUVD-2026-34799

| CVE-2026-21027 MEDIUM
2026-06-05 SamsungMobile GHSA-68m3-82mw-x7j5
4.8
CVSS 4.0 · NVD
Share

Severity by source

Vendor (SamsungMobile) PRIMARY
MEDIUM
qualitative
NVD
4.8 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (SamsungMobile).

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Jun 05, 2026 - 13:32 vuln.today
CVSS changed
Jun 05, 2026 - 11:22 NVD
4.8 (MEDIUM)
CVE Published
Jun 05, 2026 - 10:15 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Improper export of android application components in ImsSettings prior to SMR Jun-2026 Release 1 allows local attackers to trigger logging function.

AnalysisAI

ImsSettings on Samsung Mobile Devices (Android 14, 15, 16) exposes an improperly exported Android application component, enabling locally authenticated low-privilege attackers to invoke the component and trigger its logging function, resulting in limited information disclosure. The vulnerability is patched in Samsung's SMR Jun-2026 Release 1 and is reported exclusively by Samsung Mobile. No public exploit code and no CISA KEV listing have been identified at time of analysis, and the CVSS 4.0 score of 4.8 (Medium) reflects the narrow, local-only impact.

Technical ContextAI

ImsSettings is a Samsung Android system application managing IP Multimedia Subsystem (IMS) configuration - the protocol stack underpinning VoLTE, VoWiFi, and RCS services. The root cause is an Android application component (Activity, Service, BroadcastReceiver, or ContentProvider) that is exported without adequate permission guards, meaning its android:exported attribute is set to true (or implicitly exported via an intent-filter) without a restricting android:permission declaration. This allows any co-resident app to send an Intent to invoke the component. While the CWE field is listed as N/A, this vulnerability class aligns conceptually with CWE-926 (Improper Export of Android Application Components). The CVSS 4.0 vector AV:L/AC:L/AT:N/PR:L/UI:N confirms exploitation is local, low complexity, requires no additional attack conditions, and needs only low-privilege app execution - consistent with a standard sideloaded or installed third-party application on an Android device. Affected product identified via CPE: cpe:2.3:a:samsung_mobile:samsung_mobile_devices:*:*:*:*:*:*:*:*.

RemediationAI

Apply Samsung's SMR Jun-2026 Release 1 security update, which resolves the improper component export in ImsSettings across Android 14, 15, and 16. This is a vendor-released patch confirmed by Samsung Mobile via the advisory at https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=06. For enterprise environments where immediate patching is not feasible, compensating controls include enforcing MDM policies that restrict installation of untrusted or unapproved third-party applications - this reduces the likelihood of a malicious app being present to invoke the exposed component, though it does not eliminate the underlying vulnerability. Note that this workaround introduces application management overhead and does not address scenarios where legitimate but compromised apps are already installed.

Share

EUVD-2026-34799 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy