Description
Improper verification of cryptographic signature in Font Settings prior to SMR Mar-2026 Release 1 allows physical attackers to use custom font.
Published: 2026-03-16
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Local code execution
Action: Patch ASAP
AI Analysis

Impact

An improper verification of the cryptographic signature for fonts in the Android 16.0 font settings was discovered. The flaw exists in versions released before the SMR Mar‑2026 Release 1 update. A physical attacker who can install a custom font on the device can bypass signature checks, potentially allowing local code execution or other unauthorized actions. CWE‑347 is cited for this improper signature validation weakness.

Affected Systems

The vulnerability affects Samsung Mobile Devices running Android 16.0, including all the Software Maintenance Releases (SMRs) listed in the CPE entries (SMR Aug‑2025 r1 through SMR Mar‑2026 r1). Devices on any of these firmware levels are susceptible until a patch is applied.

Risk and Exploitability

The CVSS score is 5.1 (Medium), and the EPSS probability is reported as less than 1 %, indicating a low likelihood of exploitation. The issue is not yet listed in the CISA KEV catalog, further suggesting it is not actively exploited in the wild today. The primary attack vector is physical access, which limits exposure to individuals who can physically interact with the device. Nevertheless, the potential for local privilege escalation warrants prompt remediation.

Generated by OpenCVE AI on March 20, 2026 at 15:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest Samsung firmware update released on or after March 2026 Release 1, which includes the patch for font signature verification.
  • Until the update is available, avoid installing or enabling custom fonts from untrusted sources on the device.

Generated by OpenCVE AI on March 20, 2026 at 15:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
Title Improper Font Signature Verification Enables Local Code Execution on Samsung Android 16.0

Fri, 20 Mar 2026 14:00:00 +0000

Type Values Removed Values Added
First Time appeared Samsung
Samsung android
Weaknesses CWE-347
CPEs cpe:2.3:o:samsung:android:16.0:-:*:*:*:*:*:*
cpe:2.3:o:samsung:android:16.0:smr-aug-2025-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:16.0:smr-dec-2025-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:16.0:smr-feb-2026-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:16.0:smr-jan-2026-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:16.0:smr-nov-2025-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:16.0:smr-oct-2025-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:16.0:smr-sep-2025-r1:*:*:*:*:*:*
Vendors & Products Samsung
Samsung android
Metrics cvssV3_1

{'score': 2.4, 'vector': 'CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Tue, 17 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Samsung Mobile
Samsung Mobile samsung Mobile Devices
Vendors & Products Samsung Mobile
Samsung Mobile samsung Mobile Devices

Mon, 16 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 04:45:00 +0000

Type Values Removed Values Added
Description Improper verification of cryptographic signature in Font Settings prior to SMR Mar-2026 Release 1 allows physical attackers to use custom font.
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Samsung Android
Samsung Mobile Samsung Mobile Devices
cve-icon MITRE

Status: PUBLISHED

Assigner: SamsungMobile

Published:

Updated: 2026-03-16T13:19:37.404Z

Reserved: 2025-12-11T01:33:35.800Z

Link: CVE-2026-20989

cve-icon Vulnrichment

Updated: 2026-03-16T13:16:14.645Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-16T14:18:09.610

Modified: 2026-03-20T13:53:30.823

Link: CVE-2026-20989

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T14:00:33Z

Weaknesses