The flaw arises from incorrect privilege assignment in the LocationManager component, which handles location services on Samsung Mobile devices. Because the service grants privileged operations to local processes without proper access control, a malicious app or a local attacker can invoke LocationManager APIs and retrieve sensitive location data that should be protected. This local privilege escalation leads to confidentiality violations.

Samsung Mobile Devices running Android firmware versions 14.0 through 16.0 that have not applied the SMR May‑2026 Release 1 update are vulnerable. The issue targets the LocationManager service within the operating system. All devices with these firmware releases prior to the specified update are affected.

The CVSS score of 5.1 indicates moderate severity. The EPSS score of < 1 % indicates a very low likelihood of exploitation, and the vulnerability is not listed in CISA KEV. Attackers must be local to the device; once they are, they can extract private location information through the compromised LocationManager.