Description
Improper input validation in FacAtFunction in Galaxy Watch prior to SMR May-2026 Release 1 allows local attacker to execute arbitrary code with system privilege.
Published: 2026-05-13
Score: 8.9 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper input validation in the FacAtFunction of Galaxy Watch devices prior to the SMR May‑2026 Release 1 allows a local attacker to execute arbitrary code with system privileges. The flaw enables an attacker to inject or manipulate input that is passed to the system without sanitization, resulting in uncontrolled code execution. This directly compromises the confidentiality, integrity, and availability of the device, potentially granting an attacker full control over the watch.

Affected Systems

Samsung Mobile Devices, specifically Galaxy Watch models running firmware versions before the SMR May‑2026 Release 1 update. No specific model number or version list is provided, but any device not yet updated to the referenced release is affected.

Risk and Exploitability

The CVSS score of 8.9 indicates high severity, and the vulnerability is not listed in the CISA KEV catalog. The EPSS score is not available, suggesting that exploit data is currently unknown. Because the exploit requires local access to the device or the ability to inject input into the FacAtFunction, the attack vector is likely local, though physical access or pre‑compromised connectivity could also be used. Given the high severity and the potential for complete system takeover, the risk to affected users is significant.

Generated by OpenCVE AI on May 13, 2026 at 07:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest SMR May‑2026 Release 1 firmware update from Samsung for Galaxy Watch devices
  • If immediate update is not possible, disable or restrict access to the FacAtFunction feature through the watch’s settings or use a watch face that removes it
  • Continuously monitor device logs for anomalous code execution attempts and report incidents to Samsung’s security team

Generated by OpenCVE AI on May 13, 2026 at 07:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 13 May 2026 07:30:00 +0000

Type Values Removed Values Added
Title Local Arbitrary Code Execution via Improper Input Validation in Galaxy Watch FacAtFunction
First Time appeared Samsung Mobile
Samsung Mobile samsung Mobile Devices
Weaknesses CWE-20
Vendors & Products Samsung Mobile
Samsung Mobile samsung Mobile Devices

Wed, 13 May 2026 06:00:00 +0000

Type Values Removed Values Added
Description Improper input validation in FacAtFunction in Galaxy Watch prior to SMR May-2026 Release 1 allows local attacker to execute arbitrary code with system privilege.
References
Metrics cvssV4_0

{'score': 8.9, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Samsung Mobile Samsung Mobile Devices
cve-icon MITRE

Status: PUBLISHED

Assigner: SamsungMobile

Published:

Updated: 2026-05-14T03:56:00.504Z

Reserved: 2025-12-11T01:33:35.804Z

Link: CVE-2026-21019

cve-icon Vulnrichment

Updated: 2026-05-13T14:41:26.121Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-13T06:16:13.403

Modified: 2026-05-13T15:33:53.233

Link: CVE-2026-21019

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T07:30:25Z

Weaknesses