Description
Improper input validation in Routines prior to SMR May-2026 Release 1 allows physical attackers to launch privileged activity.
Published: 2026-05-13
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper input validation in device routines before the SMR May-2026 Release 1 allows a physical attacker to supply crafted input that bypasses validation and triggers privileged execution. The flaw can be used to elevate privileges on the device, granting the attacker unauthorized access to features or data that require higher privileges.

Affected Systems

Samsung Mobile Devices running firmware releases older than SMR May-2026 Release 1 are affected. No specific model or firmware version enumeration is provided, so any device prior to that release is potentially vulnerable.

Risk and Exploitability

The vulnerability carries a CVSS score of 5.1, indicating medium severity. An EPSS score of < 1% shows a very low probability of exploitation, and it is not listed in the CISA KEV catalog, suggesting no known active exploitation. The issue requires the attacker to be in physical proximity to the device to deliver the malicious input, making it a target-specific threat rather than a remotely exploitable flaw.

Generated by OpenCVE AI on May 13, 2026 at 19:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the device firmware to SMR May-2026 Release 1 when it becomes available to fix the input validation flaw.
  • Restrict physical access to the device by enforcing strong device locks, screen-lock mechanisms, and remote lock features.
  • Deploy Samsung Knox device management policies to enforce security controls and detect tampering attempts.

Generated by OpenCVE AI on May 13, 2026 at 19:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 19:45:00 +0000

Type Values Removed Values Added
Title Improper Input Validation Allows Physical Privilege Escalation on Samsung Devices

Wed, 13 May 2026 18:45:00 +0000

Type Values Removed Values Added
Title Physical Attack Privilege Escalation via Improper Input Validation in Samsung Mobile Firmware
Weaknesses CWE-20

Wed, 13 May 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Samsung
Samsung android
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:samsung:android:16.0:-:*:*:*:*:*:*
cpe:2.3:o:samsung:android:16.0:smr-apr-2026-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:16.0:smr-aug-2025-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:16.0:smr-dec-2025-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:16.0:smr-feb-2026-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:16.0:smr-jan-2026-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:16.0:smr-mar-2026-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:16.0:smr-nov-2025-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:16.0:smr-oct-2025-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:16.0:smr-sep-2025-r1:*:*:*:*:*:*
Vendors & Products Samsung
Samsung android
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 13 May 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 08:00:00 +0000

Type Values Removed Values Added
Title Physical Attack Privilege Escalation via Improper Input Validation in Samsung Mobile Firmware
Weaknesses CWE-20

Wed, 13 May 2026 07:30:00 +0000

Type Values Removed Values Added
First Time appeared Samsung Mobile
Samsung Mobile samsung Mobile Devices
Vendors & Products Samsung Mobile
Samsung Mobile samsung Mobile Devices

Wed, 13 May 2026 06:00:00 +0000

Type Values Removed Values Added
Description Improper input validation in Routines prior to SMR May-2026 Release 1 allows physical attackers to launch privileged activity.
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Samsung Android
Samsung Mobile Samsung Mobile Devices
cve-icon MITRE

Status: PUBLISHED

Assigner: SamsungMobile

Published:

Updated: 2026-05-13T10:50:19.032Z

Reserved: 2025-12-11T01:33:35.804Z

Link: CVE-2026-21021

cve-icon Vulnrichment

Updated: 2026-05-13T10:48:25.842Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-13T06:16:13.670

Modified: 2026-05-13T17:29:00.327

Link: CVE-2026-21021

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T19:30:03Z

Weaknesses