10
CVEs
0
Critical
0
High
0
KEV
0
PoC
0
Unpatched C/H
30.0%
Patch Rate
0.1%
Avg EPSS
Severity Breakdown
CRITICAL
0
HIGH
0
MEDIUM
10
LOW
0
Monthly CVE Trend
Affected Products (30)
Android
205
Exynos 1380 Firmware
106
Exynos 1280 Firmware
100
Exynos 980 Firmware
95
Exynos 1080 Firmware
81
Exynos 1330 Firmware
80
Exynos 850 Firmware
78
Exynos 1480 Firmware
77
Exynos 2200 Firmware
74
Exynos 2400 Firmware
66
Exynos W920 Firmware
60
Notes
57
Exynos 2100 Firmware
52
Exynos W930 Firmware
50
Sth Eth 250 Firmware
40
Exynos Modem 5300 Firmware
38
Exynos 9110 Firmware
37
Exynos Modem 5123 Firmware
36
Exynos 990 Firmware
36
Exynos W1000 Firmware
33
Exynos 1580 Firmware
32
Account
28
Samsung Mobile
27
Internet
26
Exynos 9820 Firmware
23
Exynos Auto T5123 Firmware
21
Linux Kernel
17
Exynos 2500 Firmware
16
Exynos 9825 Firmware
15
Mtower
13
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2026-21057 | Out-of-bounds memory write in Samsung Pass prior to version 5.2.10.3 enables local privileged attackers to corrupt process memory, producing high integrity and availability impact with limited confidentiality exposure. The root cause is improper input validation - a buffer overflow class defect - confirmed by Samsung's mobile security team and catalogued under EUVD-2026-42827. No public exploit code or CISA KEV listing has been identified; Samsung has released version 5.2.10.3 as the remediation. | MEDIUM | 6.8 | 0.1% | 34 |
No patch
|
| CVE-2026-58307 | Out-of-bounds read and reachable assertion vulnerabilities in Samsung's open-source Escargot JavaScript engine allow a local attacker to cause a denial of service and limited data manipulation by supplying crafted JavaScript input. All versions prior to commit 2dee22f5c7b8bf31cb7252d7731fae8c07f2842c are affected, with the primary real-world impact being an availability loss (crash) and low-confidence integrity effect. No public exploit code or CISA KEV listing has been identified at time of analysis. | MEDIUM | 6.1 | 0.1% | 30 |
|
| CVE-2026-58306 | Heap-based buffer overflow in Samsung's open-source Escargot JavaScript engine corrupts heap memory when processing maliciously crafted input, leading to a high-severity availability impact and a limited integrity impact. The vulnerability affects all Escargot releases before commit ef525f337fafddecde77a3c426212a84bb20cb98, targeting embedded and IoT contexts where the engine is deployed - most notably Samsung TV appliances. No public exploit identified at time of analysis, and no CISA KEV listing, but the local-vector, low-complexity nature of heap overflows makes this reliably triggerable once an attacker can supply crafted input to the engine. | MEDIUM | 6.1 | 0.1% | 30 |
No patch
|
| CVE-2026-58305 | Type confusion (CWE-843) in Samsung's open-source Escargot JavaScript engine enables pointer manipulation, leading to high-impact availability disruption and limited integrity compromise when processing malicious JavaScript. All Escargot versions prior to commit 779f6bedf58f334dec64b0a51ebb724b4708b84a are affected, with particular relevance to Samsung embedded and smart appliance ecosystems where this engine is deployed. No public exploit has been identified at time of analysis, and an upstream fix is available via GitHub PR #1580, though a formally versioned release has not been independently confirmed. | MEDIUM | 6.1 | 0.1% | 30 |
|
| CVE-2026-58304 | Out-of-bounds read and write vulnerabilities in Samsung's open-source Escargot JavaScript engine allow a local attacker to cause memory corruption leading to high availability impact and limited integrity compromise. All Escargot versions prior to commit 779f6bedf58f334dec64b0a51ebb724b4708b84a are affected, with the engine's primary deployment in Samsung TV appliance and IoT platforms. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in CISA KEV; however, the CVSS-assigned high availability impact and the buffer overflow primitive make crash-based denial-of-service the primary realistic threat. | MEDIUM | 6.1 | 0.1% | 30 |
|
| CVE-2026-58303 | Stack-based buffer overflow in Samsung's Escargot JavaScript engine enables local attackers to crash the engine or corrupt stack memory by supplying malicious JavaScript input, requiring user interaction to trigger. All Escargot releases prior to commit b30b63fc63b403907d8137da1c65aaa4521fe74e are affected, with impacts including high availability loss and limited integrity compromise. No public exploit identified at time of analysis and this vulnerability has not been added to CISA KEV, though the local-vector, user-interaction requirement meaningfully constrains real-world exploitation surface. | MEDIUM | 6.1 | 0.1% | 30 |
No patch
|
| CVE-2026-14160 | Time-of-check time-of-use (TOCTOU) race condition in Samsung's open-source Escargot JavaScript engine exposes systems - notably Samsung TV appliances - to local exploitation resulting in limited confidentiality, integrity, and availability impact. The flaw exists at a specific upstream commit (bab3a5797557014ce3c2e28419a6310cfba90d0d) and allows an attacker who can execute code in the same environment to exploit a timing window between a security check and the subsequent use of a resource. No active exploitation has been identified at time of analysis, but a fix commit is available upstream. | MEDIUM | 5.9 | 0.1% | 30 |
No patch
|
| CVE-2026-15551 | Integer overflow in Samsung's open-source rlottie animation rendering library leads to buffer overflow, with high availability impact including potential crash or memory corruption. Exploitation requires local access, low privileges, user interaction, and high attack complexity, making this a lower-urgency finding despite the buffer overflow class. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog. The upstream fix is available as a GitHub pull request (#595), though a formally tagged patched release version has not been independently confirmed. | MEDIUM | 5.5 | 0.1% | 28 |
No patch
|
| CVE-2026-21053 | Improper input validation in Samsung Email prior to version 6.2.13.1 enables local attackers to create arbitrary files within the application's Android sandbox, affecting integrity and availability of the email client. The attack is confined to the Samsung Email sandbox by Android's isolation model and cannot directly escalate to system-level or cross-application impact. No public exploit has been identified and the vulnerability is not listed in CISA KEV; Samsung has released a confirmed fix in version 6.2.13.1. | MEDIUM | 5.1 | 0.1% | 26 |
No patch
|
| CVE-2026-21056 | Improper authorization in Samsung Health prior to version 7.00.0.107 exposes connected device information to local, low-privileged attackers on the same Android device. The flaw likely involves an improperly protected Android IPC mechanism - such as a content provider or broadcast receiver - that fails to enforce access controls over paired wearable or peripheral device data. No public exploit code exists and this vulnerability has not been added to the CISA KEV catalog; combined with the local-only attack vector and limited data sensitivity, real-world risk is low. | MEDIUM | 4.8 | 0.1% | 24 |
No patch
|