Description
Improper access control in Galaxy Store prior to version 4.6.03.8 allows local attacker to create file with Galaxy Store privilege.
Published: 2026-03-16
Score: 7 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Creation with Elevated Privileges
Action: Immediate Patch
AI Analysis

Impact

Improper access control in Samsung Galaxy Store permits a local attacker to create files under the application's privileged directories. This vulnerability, classified as CWE‑22, results in the ability to write arbitrary data or executable code in a location where the application holds elevated privileges. The impact includes potential compromise of the store application’s integrity and the risk of executing malicious payloads with the store’s permissions.

Affected Systems

Affected versions are all Galaxy Store releases prior to 4.6.03.8. The information does not specify particular device models, regions, or additional contexts, so administrators should treat all installations of those versions as vulnerable until an update is applied.

Risk and Exploitability

Based on the description, the likely attack vector is local, requiring a foothold on the device to write files with the Galaxy Store’s privileges. This is inferred from the requirement for local access mentioned in the description. The CVSS score of 7.0 indicates a high severity level, while the EPSS score of less than 1% suggests a low probability of exploitation in the wild. It is not listed in the CISA KEV catalog. Given the severity and the possibility of privilege escalation within the app, a timely patch is recommended.

Generated by OpenCVE AI on April 8, 2026 at 22:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Galaxy Store to version 4.6.03.8 or later, which contains the patch for the improper access control.
  • Verify that the Store application no longer has write access to unauthorized directories after the update.

Generated by OpenCVE AI on April 8, 2026 at 22:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
Title Local File Creation via Improper Access Control in Samsung Galaxy Store

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Title Improper Access Control in Samsung Galaxy Store Allows Local File Creation
Weaknesses CWE-284

Tue, 07 Apr 2026 00:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-22
CPEs cpe:2.3:a:samsung:galaxy_store:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

Fri, 27 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Title Improper Access Control in Samsung Galaxy Store Allows Local File Creation
Weaknesses CWE-284

Fri, 27 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
Title Local User Privilege Escalation in Galaxy Store via Improper Access Control
Weaknesses CWE-284

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
Title Local User Privilege Escalation in Galaxy Store via Improper Access Control
Weaknesses CWE-284

Thu, 26 Mar 2026 14:00:00 +0000

Type Values Removed Values Added
Title Local Privilege Escalation via Improper Access Control in Samsung Galaxy Store
Weaknesses CWE-269
CWE-284

Thu, 26 Mar 2026 12:30:00 +0000

Type Values Removed Values Added
Title Local Privilege Escalation via Improper Access Control in Samsung Galaxy Store
Weaknesses CWE-269
CWE-284

Wed, 25 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Title Local File Creation with App Privileges in Samsung Galaxy Store
Weaknesses CWE-284

Wed, 25 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
Title Local File Creation with App Privileges in Samsung Galaxy Store
Weaknesses CWE-284

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
Title Local Privilege Escalation via Improper Access Control in Samsung Galaxy Store
Weaknesses CWE-284

Tue, 24 Mar 2026 13:30:00 +0000

Type Values Removed Values Added
Title Local Privilege Escalation via Improper Access Control in Samsung Galaxy Store
Weaknesses CWE-284

Tue, 17 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Samsung
Samsung galaxy Store
Vendors & Products Samsung
Samsung galaxy Store

Mon, 16 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 04:45:00 +0000

Type Values Removed Values Added
Description Improper access control in Galaxy Store prior to version 4.6.03.8 allows local attacker to create file with Galaxy Store privilege.
References
Metrics cvssV4_0

{'score': 7, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Samsung Galaxy Store
cve-icon MITRE

Status: PUBLISHED

Assigner: SamsungMobile

Published:

Updated: 2026-03-16T13:19:35.418Z

Reserved: 2025-12-11T01:33:35.802Z

Link: CVE-2026-21000

cve-icon Vulnrichment

Updated: 2026-03-16T13:15:49.894Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-16T14:18:11.080

Modified: 2026-04-07T00:36:26.137

Link: CVE-2026-21000

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:29:47Z

Weaknesses