The vulnerability is an improper export of Android application components in OmaCP that allows local attackers to trigger privileged functions. This flaw enables a local user with access to the device to execute code or functions with elevated permissions, potentially compromising system integrity and confidentiality. The weakness is a failure of access control for component boundaries, providing a privilege‑escalation vector.

Samsung Mobile Devices running OmaCP versions before the SMR May‑2026 Release 1 are affected. No specific firmware range is provided; the flaw exists in all releases up to the stated update. Devices that have not applied the May‑2026 security patch remain vulnerable.

The CVSS score of 5.1 indicates moderate severity. The EPSS score of less than 1% indicates a low likelihood of exploitation, and the vulnerability is not listed in CISA KEV, suggesting no known widespread exploitation. The attack requires local access and knowledge of the exported components; an attacker with physical or local user access can manipulate OmaCP to invoke privileged operations. Because the flaw lies in component export settings, exploitation typically requires triggering a specific component entry point, but once achieved, privileged functions can be performed.