Improper verification of intent by a broadcast receiver in the Android Settings app allows a local attacker to launch an arbitrary activity with Settings‐level privileges, enabling privileged actions such as modifying system settings or accessing sensitive information. The flaw stems from the Settings broadcast receiver not properly validating the intent it receives, which grants the attacker elevated capabilities on the device. This is a local privilege escalation vulnerability that requires the attacker to have access to the device but does not immediately compromise remote systems.

Samsung Mobile Devices running Android 16.0 and any SMR release prior to SMR Mar‑2026 Release 1 are affected. The affected updates include SMR‑Sep‑2025‑R1 through SMR‑Feb‑2026‑R1, as listed in the Common Platform Enumeration data. Users on these devices should check Samsung’s security update page for the March 2026 release to determine if their device is vulnerable.

The CVSS score of 6.8 denotes moderate severity, and the EPSS score of less than 1% indicates a low overall likelihood of widespread exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires a local attacker who can send a crafted broadcast intent to the Settings app and the user to interact with the trigger; the typical attack vector would involve a malicious application or script that posts the invalid intent, which the Settings receiver authorizes without proper checks. While the attack is local and requires user interaction, the potential to gain Settings privileges represents a significant risk to device security.