Description
Improper check for exceptional conditions in Recents prior to SMR Apr-2026 Release 1 allows physical attacker to bypass App Pinning.
Published: 2026-04-13
Score: 4.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Bypass App Pinning
Action: Apply Patch
AI Analysis

Impact

Improper handling of exceptional conditions in the Recents feature of Samsung Mobile Devices allows a physical attacker to bypass application pinning. This flaw disables the check that normally prevents unauthorized applications from being pinned, enabling a malicious app to replace or masquerade as a pinned app. The consequence is that an attacker who gains physical access to the device can potentially elevate privileges or compromise applications that rely on pinning for security, affecting confidentiality, integrity, or functionality of the pinned apps.

Affected Systems

Samsung Mobile Devices that run firmware versions before SMR Apr-2026 Release 1. The vulnerability affects the Recents component responsible for managing application pinning on these devices.

Risk and Exploitability

The CVSS score is 4.1, indicating a moderate severity overall. No EPSS score is available, and the issue is not listed in the CISA KEV catalog. The attack vector is inferred to be physical, requiring direct access to the device. Because the flaw permits bypassing app pinning, an attacker could take advantage of the device’s user context once they have physical possession, but no remote exploitation is possible as described. The risk remains primarily limited to environments where devices are not physically secured or where users are likely to leave devices unattended.

Generated by OpenCVE AI on April 13, 2026 at 07:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install Samsung Mobile firmware updates that include SMR Apr-2026 Release 1 or later.
  • Verify that the Recents functionality behaves correctly and that app pinning cannot be bypassed.
  • Check for additional security advisories from Samsung regarding app pinning or Recents.

Generated by OpenCVE AI on April 13, 2026 at 07:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Title App Pinning Bypass via Physical Attacker on Samsung Devices
Weaknesses CWE-200
CWE-398

Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Samsung
Samsung mobile Devices
Samsung Mobile
Samsung Mobile samsung Mobile Devices
Vendors & Products Samsung
Samsung mobile Devices
Samsung Mobile
Samsung Mobile samsung Mobile Devices

Mon, 13 Apr 2026 06:15:00 +0000

Type Values Removed Values Added
Description Improper check for exceptional conditions in Recents prior to SMR Apr-2026 Release 1 allows physical attacker to bypass App Pinning.
References
Metrics cvssV4_0

{'score': 4.1, 'vector': 'CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Samsung Mobile Devices
Samsung Mobile Samsung Mobile Devices
cve-icon MITRE

Status: PUBLISHED

Assigner: SamsungMobile

Published:

Updated: 2026-04-13T18:06:16.578Z

Reserved: 2025-12-11T01:33:35.803Z

Link: CVE-2026-21009

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-13T06:16:05.483

Modified: 2026-04-13T15:01:43.663

Link: CVE-2026-21009

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T12:52:58Z

Weaknesses