Skip to main content

Samsung Galaxy (Android) EUVDEUVD-2026-42819

| CVE-2026-21049 HIGH
2026-07-10 mobile.security@samsung.com GHSA-7p8c-622m-54g7
8.4
CVSS 4.0 · Vendor: samsung
Share

Severity by source

Vendor (samsung) PRIMARY
8.4 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.3 HIGH

Local on-device trigger (AV:L) reachable by an already-privileged app (PR:L) with no user interaction; memory corruption yields high confidentiality/integrity and limited availability impact.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (samsung).

CVSS VectorVendor: samsung

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
CVE Published
Jul 10, 2026 - 05:49 cve.org
HIGH 8.4
Analysis Generated
Jul 10, 2026 - 05:47 vuln.today

DescriptionCVE.org

Out-of-bounds write in libpadm.so library prior to SMR Jul-2026 Release 1 allows local attackers to execute arbitrary code.

AnalysisAI

Arbitrary code execution in Samsung's libpadm.so system library on Galaxy devices allows a local, low-privileged attacker to corrupt memory via an out-of-bounds write and run code in the context of the vulnerable component prior to the SMR Jul-2026 Release 1. The flaw was reported internally by Samsung Mobile Security and carries a CVSS 4.0 base score of 8.4 (high). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Install malicious low-privilege app on Galaxy device
Delivery
Invoke component using libpadm.so
Exploit
Send crafted input triggering out-of-bounds write
Execution
Overwrite adjacent memory structures
Persist
Execute arbitrary code in library context
Impact
Escalate beyond app sandbox

Vulnerability AssessmentAI

Exploitation Exploitation requires local access to the device and pre-existing low-level privileges (CVSS PR:L) - typically an already-installed app or on-device code that can reach and pass crafted input to the libpadm.so library; it is not remotely exploitable over the network (AV:L). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:L/AC:L/AT:N/PR:L/UI:N, VC:H/VI:H/VA:L) describes a local attack requiring some existing privilege but no user interaction and low complexity, yielding high confidentiality and integrity impact for a score of 8.4. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A user installs a malicious or trojanized app that already holds modest on-device privileges; the app feeds crafted input to a component backed by libpadm.so, triggering the out-of-bounds write to overwrite memory and execute attacker-controlled code, escalating beyond its sandbox. Because the CVSS vector is local, low-complexity, and needs no user interaction, exploitation is reliable once code runs on the device, though no public POC is currently known.
Remediation Apply Samsung's Security Maintenance Release SMR Jul-2026 Release 1 or later via Settings > Software update on the device, or through the carrier/enterprise MDM update channel; this is the vendor-released patch that closes the out-of-bounds write. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-42819 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy