AODManager in Samsung Android devices prior to the April 2026 Release 1 allows a privileged local attacker to control the name of a file that the system will create. The attacker can therefore create a file with system‑level privileges, giving a vector for persistent malicious code or further privilege escalation. The vulnerability is caused by insufficient input validation of file names, a form of unchecked user‑controlled file creation.

Samsung Mobile Devices running Android 14, 15, or 16 before the April 2026 Release 1. All system maintenance releases (SMR) for each major Android version listed in the CPEs—from SMR Jan‑2022 to SMR Sep‑2025 for Android 14 and the corresponding SMR releases for Android 15 and 16—are affected. Any device that has not applied the April 2026 Release 1 update remains vulnerable.

The CVSS score of 6.8 indicates a moderate severity vulnerability. The EPSS score of less than 1 % suggests that exploitation likelihood is currently low, and the vulnerability is not listed in CISA’s KEV catalog. The attack requires local privileged access, limiting practical exploitability to situations where an attacker can gain local user privileges, such as through social engineering or a compromised device. If exploited, the attacker could place system‑level files that persist across reboots, potentially enabling persistence or malicious services. No widespread exploitation has been reported yet, but the impact is significant for devices running the affected AODManager component.