Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (SamsungMobile) · only source for this CVE.
CVSS VectorVendor: SamsungMobile
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Improper export of android application components in Samsung Auto prior to version 3.1.2.61 in Android 15 and 3.2.0.38 in Android 16 allows local attacker to change audio configuration.
AnalysisAI
Samsung Auto for Android exposes audio configuration functionality through improperly exported application components, allowing a local attacker with low privileges to arbitrarily modify audio settings without authorization. Affected versions are Samsung Auto prior to 3.1.2.61 on Android 15 and prior to 3.2.0.38 on Android 16, as confirmed by the Samsung Mobile vendor advisory and EUVD-2026-34806. No public exploit is identified at time of analysis and this vulnerability has not been added to the CISA KEV catalog, placing it at low real-world priority despite the straightforward local attack path.
Technical ContextAI
Samsung Auto is a Samsung Mobile Android application. Android applications expose functionality through components - Activities, Services, Broadcast Receivers, and Content Providers - which can be flagged as exported in the app manifest, allowing other apps on the device to invoke them via Intents. When these components are exported without adequate permission enforcement or validation (the vulnerability class corresponding to CWE-926: Improper Export of Android Application Components, though Samsung lists the CWE as N/A), any other application or local user can interact with them directly. In this case, the audio configuration subsystem within Samsung Auto is reachable through such an improperly exported component. The CPE string cpe:2.3:a:samsung_mobile:samsung_auto confirms the affected software as Samsung Mobile's Samsung Auto application. The vulnerability is platform-scoped to Android 15 and Android 16, suggesting the export behavior may interact with Android-version-specific component resolution or permission models.
RemediationAI
The vendor-released patch is Samsung Auto version 3.1.2.61 on Android 15 and version 3.2.0.38 on Android 16, as confirmed by Samsung Mobile's June 2026 security bulletin at https://security.samsungmobile.com/serviceWeb.smsb?year=2026&month=06 and documented under EUVD-2026-34806. Users should update Samsung Auto through the Galaxy Store or the device's app update mechanism to the patched version applicable to their Android version. If immediate patching is not feasible in a managed device environment, administrators can enforce MDM policies restricting sideloaded or untrusted applications from being installed alongside Samsung Auto, which eliminates the primary attack vector since exploitation requires a co-installed malicious app. Note that overly restrictive app policies may affect legitimate app interoperability. Restricting device physical access also reduces exposure, as the attack vector is local (AV:L).
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34806
GHSA-959m-qc75-jv6h