The vulnerability stems from improper export of Android application components within UwbTest before the January‑2026 security update. A local attacker can trigger the enabling of the Ultra Wideband radio, granting the device the ability to engage in UWB communications without authorisation. This flaw does not compromise confidentiality or integrity directly but allows additional privileged behaviour that could be leveraged for side‑channel or proximity‑based attacks.

Samsung Android devices running any Android version up to Android 16.0 that have not installed the Jan‑2026 RM‑1 security update or any subsequent UwbTest patches. The vulnerability spans all models whose firmware is listed in the extensive set of Samsung SMR release identifiers provided.

The CVSS score of 4.8 and an EPSS below 1% suggest moderate severity and a low likelihood of exploitation in the wild. No known public exploits exist as the vulnerability is not listed on CISA’s KEV. Attackers would need local or device‑level access to trigger the export logic. Because the flaw is limited to local privilege escalation, organisations should treat it as a patch‑critical issue if devices are physical or insider‑accessible and less urgent otherwise.