Description
Improper access control in Samsung DeX prior to SMR Apr-2026 Release 1 allows physical attackers to access to hidden notification contents.
Published: 2026-04-13
Score: 4.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Exposure of hidden notification contents to physical attackers
Action: Update
AI Analysis

Impact

Improper access control within Samsung DeX allows a physically present attacker to view the contents of hidden notifications that should normally remain private. The flaw does not enable code execution or privileged escalation, but it does expose potentially sensitive information such as personal messages, application data, or authentication details that are normally concealed from other apps. This leads to an information‑disclosure risk for the confidentiality of the device’s user data, corresponding to an access control weakness.

Affected Systems

All Samsung Mobile Devices running Android 15.0 that have not yet received the Samsung Mobile Release (SMR) April 2026 Release 1 upgrade. The affected builds include the numerous SMR 2025‑2026 releases recorded in the provided CPE entries.

Risk and Exploitability

The CVSS score of 4.7 indicates moderate severity, reflecting that the flaw requires physical possession of the device and the ability to launch Samsung DeX. The EPSS score of less than 1 % suggests that exploitation attempts are unlikely. The vulnerability is not listed in the CISA KEV catalog, indicating no known public exploits. Attackers would need to be physically present and able to activate Samsung DeX in order to read hidden notification contents; no remote trigger or software exploit is indicated by the current data.

Generated by OpenCVE AI on April 14, 2026 at 18:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Samsung Mobile Release (SMR) April 2026 Release 1 update or a newer security update.
  • Disable Samsung DeX when the device is unlocked or when in close proximity to untrusted individuals.
  • Ensure a strong screen‑lock is active and keep the device locked when not in use; DeX should not be enabled on unattended or publicly shared devices.
  • Regularly check Samsung’s Security Update page and apply any new builds promptly.

Generated by OpenCVE AI on April 14, 2026 at 18:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 16:00:00 +0000

Type Values Removed Values Added
Title Access Control Flaw in Samsung DeX Allows Physical Disclosure of Hidden Notifications

Tue, 14 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Title Samsung DeX Improper Access Control Exposes Hidden Notifications to Physical Attackers
Weaknesses CWE-200
CWE-284

Mon, 13 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Samsung android
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:samsung:android:15.0:-:*:*:*:*:*:*
cpe:2.3:o:samsung:android:15.0:smr-apr-2025-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:15.0:smr-aug-2025-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:15.0:smr-dec-2025-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:15.0:smr-feb-2025-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:15.0:smr-feb-2026-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:15.0:smr-jan-2025-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:15.0:smr-jan-2026-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:15.0:smr-jul-2025-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:15.0:smr-jun-2025-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:15.0:smr-mar-2025-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:15.0:smr-mar-2026-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:15.0:smr-may-2025-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:15.0:smr-nov-2025-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:15.0:smr-oct-2025-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:15.0:smr-sep-2025-r1:*:*:*:*:*:*
Vendors & Products Samsung android
Metrics cvssV3_1

{'score': 2.4, 'vector': 'CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Mon, 13 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Title Samsung DeX Improper Access Control Exposes Hidden Notifications to Physical Attackers
Weaknesses CWE-200
CWE-284

Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Samsung
Samsung mobile Devices
Samsung Mobile
Samsung Mobile samsung Mobile Devices
Vendors & Products Samsung
Samsung mobile Devices
Samsung Mobile
Samsung Mobile samsung Mobile Devices

Mon, 13 Apr 2026 06:15:00 +0000

Type Values Removed Values Added
Description Improper access control in Samsung DeX prior to SMR Apr-2026 Release 1 allows physical attackers to access to hidden notification contents.
References
Metrics cvssV4_0

{'score': 4.7, 'vector': 'CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:H'}

Subscriptions

Samsung Android Mobile Devices
Samsung Mobile Samsung Mobile Devices
cve-icon MITRE

Status: PUBLISHED

Assigner: SamsungMobile

Published:

Updated: 2026-04-13T18:06:16.870Z

Reserved: 2025-12-11T01:33:35.803Z

Link: CVE-2026-21006

cve-icon Vulnrichment

Updated: 2026-04-13T17:57:39.449Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-13T06:16:05.003

Modified: 2026-04-13T18:38:14.630

Link: CVE-2026-21006

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T15:45:07Z

Weaknesses