The vulnerability is an out-of-bounds write in SveService prior to SMR May‑2026 Release 1. It allows local privileged attackers to execute arbitrary code, potentially compromising the device’s data, confidentiality, and integrity.

Samsung Mobile Devices running firmware versions before SMR May‑2026 Release 1 are affected; any device that has not upgraded to the indicated release or newer contains the flaw.

With a CVSS score of 6.8 the risk is moderate; the EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires local privileged access, so an attacker must already have some level of local control on the device before abusing the out‑of‑bounds write.