Description
Improper verification of cryptographic signature in Galaxy Store prior to version 4.6.03.8 allows local attacker to install arbitrary application.
Published: 2026-03-16
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Local arbitrary application installation via improper signature verification
Action: Immediate Patch
AI Analysis

Impact

The vulnerability in the Samsung Galaxy Store arises from an improper verification of cryptographic signatures for applications. Prior to version 4.6.03.8, the store fails to confirm the signature of packages before allowing installation. Consequently, a local attacker who can influence the store locally can install any application, potentially with malicious payloads. The weakness corresponds to CWE‑347 and can lead to arbitrary code execution or compromised device integrity and confidentiality.

Affected Systems

The affected product is Samsung Mobile’s Galaxy Store. Versions earlier than 4.6.03.8 are vulnerable. No other versions are listed as impacted.

Risk and Exploitability

The assessment scores a CVSS base of 5.9, indicating medium severity, and an EPSS of less than 1 %, showing a very low likelihood of being exploited in the wild. It is not included in the CISA KEV catalogue. The attack requires local access to the device and the ability to manipulate the Galaxy Store such that an alternative application package is presented and installed. Once installed, the malicious application operates with the permissions granted to it, potentially compromising the device.

Generated by OpenCVE AI on April 8, 2026 at 21:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Samsung Galaxy Store to version 4.6.03.8 or later

Generated by OpenCVE AI on April 8, 2026 at 21:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
Title Galaxy Store Improper Signature Verification Enabling Arbitrary App Installation

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Title Improper Cryptographic Signature Verification in Galaxy Store Enables Local App Installation
Weaknesses CWE-330

Tue, 07 Apr 2026 00:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-347
CPEs cpe:2.3:a:samsung:galaxy_store:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

Fri, 27 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Title Improper Cryptographic Signature Verification in Galaxy Store Enables Local App Installation
Weaknesses CWE-330

Fri, 27 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
Title Local Attackers Can Install Arbitrary Applications Due to Signature Verification Flaw in Galaxy Store
Weaknesses CWE-287

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
Title Local Attackers Can Install Arbitrary Applications Due to Signature Verification Flaw in Galaxy Store
Weaknesses CWE-287

Thu, 26 Mar 2026 14:00:00 +0000

Type Values Removed Values Added
Title Local Attacker Can Install Arbitrary Apps via Signature Verification Failure in Samsung Galaxy Store
Weaknesses CWE-327

Thu, 26 Mar 2026 12:30:00 +0000

Type Values Removed Values Added
Title Local Attacker Can Install Arbitrary Apps via Signature Verification Failure in Samsung Galaxy Store
Weaknesses CWE-327

Wed, 25 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Title Improper Verification of Cryptographic Signature in Samsung Galaxy Store Allowing Local Installation of Arbitrary Apps
Weaknesses CWE-294

Wed, 25 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
Title Improper Verification of Cryptographic Signature in Samsung Galaxy Store Allowing Local Installation of Arbitrary Apps
Weaknesses CWE-294

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
Title Improper Cryptographic Signature Verification in Samsung Galaxy Store Enables Local App Installation
Weaknesses CWE-287

Tue, 24 Mar 2026 13:30:00 +0000

Type Values Removed Values Added
Title Improper Cryptographic Signature Verification in Samsung Galaxy Store Enables Local App Installation
Weaknesses CWE-287

Tue, 17 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Samsung
Samsung galaxy Store
Vendors & Products Samsung
Samsung galaxy Store

Mon, 16 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 04:45:00 +0000

Type Values Removed Values Added
Description Improper verification of cryptographic signature in Galaxy Store prior to version 4.6.03.8 allows local attacker to install arbitrary application.
References
Metrics cvssV4_0

{'score': 5.9, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Samsung Galaxy Store
cve-icon MITRE

Status: PUBLISHED

Assigner: SamsungMobile

Published:

Updated: 2026-03-16T13:59:29.066Z

Reserved: 2025-12-11T01:33:35.802Z

Link: CVE-2026-21002

cve-icon Vulnrichment

Updated: 2026-03-16T13:59:26.437Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-16T14:18:11.367

Modified: 2026-04-07T00:34:23.430

Link: CVE-2026-21002

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:29:46Z

Weaknesses