Description
Improper input validation in FacAtFunction prior to SMR Feb-2026 Release 1 allows privileged physical attacker to execute arbitrary command with system privilege.
Published: 2026-02-04
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Command Execution
Action: Apply Patch
AI Analysis

Impact

The vulnerability originates from improper input validation in the FacAtFunction component before SMR Feb‑2026 Release 1. It permits a privileged physical attacker to inject and run arbitrary system commands on the device, effectively gaining full system control.

Affected Systems

Samsung Mobile Devices running Android 14.0, 15.0, and 16.0, including the seasonal releases listed in the CPE data from SMR Apr‑2022 through Sep‑2026.

Risk and Exploitability

The CVSS score of 5.4 indicates a moderate severity. The EPSS score of less than 1% suggests a low likelihood of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. However, the attack requires a physical attacker with device‑level privileges; if such conditions exist, exploitation could lead to complete system compromise. The vulnerability is exploitable via local input injection into the FacAtFunction interface.

Generated by OpenCVE AI on April 17, 2026 at 23:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the Samsung security update for SMR Feb‑2026 Release 1 that addresses this vulnerability.
  • Restrict physical access to affected devices until the patch is applied.
  • Enable device lock and limit privileged operations to prevent unauthorized command execution.

Generated by OpenCVE AI on April 17, 2026 at 23:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Title Physical Attackers Can Execute Arbitrary Commands via Improper Input Validation in FacAtFunction on Samsung Devices
Weaknesses CWE-20
CWE-78

Thu, 05 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Samsung android
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:samsung:android:14.0:-:*:*:*:*:*:*
cpe:2.3:o:samsung:android:14.0:smr-apr-2022-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:14.0:smr-apr-2023-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:14.0:smr-apr-2024-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:14.0:smr-apr-2025-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:14.0:smr-aug-2022-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:14.0:smr-aug-2023-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:14.0:smr-aug-2024-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:14.0:smr-aug-2025-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:14.0:smr-dec-2021-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:14.0:smr-dec-2022-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:14.0:smr-dec-2023-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:14.0:smr-dec-2024-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:14.0:smr-dec-2025-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:14.0:smr-feb-2022-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:14.0:smr-feb-2023-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:14.0:smr-feb-2024-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:14.0:smr-feb-2025-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:14.0:smr-jan-2022-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:14.0:smr-jan-2023-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:14.0:smr-jan-2024-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:14.0:smr-jan-2025-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:14.0:smr-jan-2026-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:14.0:smr-jul-2022-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:14.0:smr-jul-2023-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:14.0:smr-jul-2024-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:14.0:smr-jul-2025-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:14.0:smr-jun-2022-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:14.0:smr-jun-2023-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:14.0:smr-jun-2024-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:14.0:smr-jun-2025-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:14.0:smr-mar-2022-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:14.0:smr-mar-2023-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:14.0:smr-mar-2024-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:14.0:smr-mar-2025-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:14.0:smr-may-2022-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:14.0:smr-may-2023-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:14.0:smr-may-2024-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:14.0:smr-may-2025-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:14.0:smr-nov-2021-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:14.0:smr-nov-2022-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:14.0:smr-nov-2023-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:14.0:smr-nov-2024-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:14.0:smr-nov-2025-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:14.0:smr-oct-2022-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:14.0:smr-oct-2023-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:14.0:smr-oct-2024-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:14.0:smr-oct-2025-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:14.0:smr-sep-2022-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:14.0:smr-sep-2023-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:14.0:smr-sep-2024-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:14.0:smr-sep-2025-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:15.0:-:*:*:*:*:*:*
cpe:2.3:o:samsung:android:15.0:smr-apr-2025-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:15.0:smr-aug-2025-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:15.0:smr-dec-2025-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:15.0:smr-feb-2025-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:15.0:smr-jan-2025-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:15.0:smr-jan-2026-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:15.0:smr-jul-2025-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:15.0:smr-jun-2025-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:15.0:smr-mar-2025-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:15.0:smr-may-2025-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:15.0:smr-nov-2025-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:15.0:smr-oct-2025-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:15.0:smr-sep-2025-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:16.0:-:*:*:*:*:*:*
cpe:2.3:o:samsung:android:16.0:smr-aug-2025-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:16.0:smr-dec-2025-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:16.0:smr-jan-2026-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:16.0:smr-nov-2025-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:16.0:smr-oct-2025-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:16.0:smr-sep-2025-r1:*:*:*:*:*:*
Vendors & Products Samsung android
Metrics cvssV3_1

{'score': 6.6, 'vector': 'CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 04 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Samsung
Samsung mobile Devices
Vendors & Products Samsung
Samsung mobile Devices

Wed, 04 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 04 Feb 2026 06:45:00 +0000

Type Values Removed Values Added
Description Improper input validation in FacAtFunction prior to SMR Feb-2026 Release 1 allows privileged physical attacker to execute arbitrary command with system privilege.
References
Metrics cvssV4_0

{'score': 5.4, 'vector': 'CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Samsung Android Mobile Devices
cve-icon MITRE

Status: PUBLISHED

Assigner: SamsungMobile

Published:

Updated: 2026-02-04T16:56:29.200Z

Reserved: 2025-12-11T01:33:35.799Z

Link: CVE-2026-20981

cve-icon Vulnrichment

Updated: 2026-02-04T16:56:26.223Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-04T07:16:00.113

Modified: 2026-02-05T21:18:06.017

Link: CVE-2026-20981

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T00:00:09Z

Weaknesses