Description
Improper verification of cryptographic signature in Galaxy Store prior to version 4.6.03.8 allows local attacker to install arbitrary application.
Published: 2026-03-16
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Signature verification flaw allows local attacker to install arbitrary application
Action: Apply patch
AI Analysis

Impact

Improper verification of the cryptographic signature used by Samsung’s Galaxy Store before version 4.6.03.8 permits a local attacker to bypass security checks and install any application of their choosing. The flaw effectively removes the integrity guarantee of the application installation process, allowing malicious code to be trusted by the device. The vulnerability is a classic example of insufficient signature validation, enabling unauthorized code execution.

Affected Systems

Samsung Mobile Galaxy Store is the affected product. Devices running the Galaxy Store application prior to version 4.6.03.8 are at risk. No additional vendor or version information is provided beyond the indicated store component.

Risk and Exploitability

The CVSS score of 5.9 indicates a moderate overall risk, while the EPSS score of less than 1 percent suggests a low probability of exploitation in the current threat landscape. The vulnerability is not listed in CISA’s KEV catalog. Because the flaw requires local access to the device, the attack vector is likely local, meaning an attacker must be physically present or already have privileged access. The lack of an exploit probability combined with the moderate severity suggests that while the vulnerability is non‑critical, it can be dangerous if an attacker gains local device access.

Generated by OpenCVE AI on March 27, 2026 at 11:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Galaxy Store to version 4.6.03.8 or later, which includes proper signature verification.
  • For devices that cannot be upgraded immediately, disable installation of applications from the Galaxy Store until a patch is available.
  • Verify that the device’s firmware and other security components are current to reduce the attack surface.

Generated by OpenCVE AI on March 27, 2026 at 11:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 00:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-347
CPEs cpe:2.3:a:samsung:galaxy_store:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

Fri, 27 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Title Improper Cryptographic Signature Verification in Galaxy Store Enables Local App Installation
Weaknesses CWE-330

Fri, 27 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
Title Local Attackers Can Install Arbitrary Applications Due to Signature Verification Flaw in Galaxy Store
Weaknesses CWE-287

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
Title Local Attackers Can Install Arbitrary Applications Due to Signature Verification Flaw in Galaxy Store
Weaknesses CWE-287

Thu, 26 Mar 2026 14:00:00 +0000

Type Values Removed Values Added
Title Local Attacker Can Install Arbitrary Apps via Signature Verification Failure in Samsung Galaxy Store
Weaknesses CWE-327

Thu, 26 Mar 2026 12:30:00 +0000

Type Values Removed Values Added
Title Local Attacker Can Install Arbitrary Apps via Signature Verification Failure in Samsung Galaxy Store
Weaknesses CWE-327

Wed, 25 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Title Improper Verification of Cryptographic Signature in Samsung Galaxy Store Allowing Local Installation of Arbitrary Apps
Weaknesses CWE-294

Wed, 25 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
Title Improper Verification of Cryptographic Signature in Samsung Galaxy Store Allowing Local Installation of Arbitrary Apps
Weaknesses CWE-294

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
Title Improper Cryptographic Signature Verification in Samsung Galaxy Store Enables Local App Installation
Weaknesses CWE-287

Tue, 24 Mar 2026 13:30:00 +0000

Type Values Removed Values Added
Title Improper Cryptographic Signature Verification in Samsung Galaxy Store Enables Local App Installation
Weaknesses CWE-287

Tue, 17 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Samsung
Samsung galaxy Store
Vendors & Products Samsung
Samsung galaxy Store

Mon, 16 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 04:45:00 +0000

Type Values Removed Values Added
Description Improper verification of cryptographic signature in Galaxy Store prior to version 4.6.03.8 allows local attacker to install arbitrary application.
References
Metrics cvssV4_0

{'score': 5.9, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Samsung Galaxy Store
cve-icon MITRE

Status: PUBLISHED

Assigner: SamsungMobile

Published:

Updated: 2026-03-16T13:59:29.066Z

Reserved: 2025-12-11T01:33:35.802Z

Link: CVE-2026-21002

cve-icon Vulnrichment

Updated: 2026-03-16T13:59:26.437Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-16T14:18:11.367

Modified: 2026-04-07T00:34:23.430

Link: CVE-2026-21002

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T20:26:59Z

Weaknesses