Description
Improper handling of insufficient permissions in Routines prior to SMR May-2026 Release 1 allows local attackers to access sensitive information.
Published: 2026-05-13
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper handling of insufficient permissions in the Routines component of Samsung Mobile devices allows local attackers to read sensitive information. This weakness enables an attacker who can execute code locally or interact with routine functions to bypass the expected permission checks and access data that should be restricted. The vulnerability directly affects confidentiality by exposing personal or system data to unauthorized parties without modifying system state, and the impact is confined to users with local access to the device or the routine environment.

Affected Systems

Samsung Mobile Devices operated with firmware versions older than SMR May-2026 Release 1. Devices running Routines prior to this release are impacted; newer releases are not affected as the permission handling flaw is corrected. No additional vendor or product versions are identified in the current advisory.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate severity for local attackers, aligning with a Medium overall risk. EPSS score is <1%, and the vulnerability is not listed in CISA KEV, suggesting no known widespread exploitation. Nevertheless, local actors could exploit the flaw by executing malicious routines or using privileged apps, making timely remediation advisable. The attack vector is inferred to be local, requiring direct interaction with the device or routine module.

Generated by OpenCVE AI on May 13, 2026 at 19:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the SMR May-2026 Release 1 firmware upgrade on all Samsung Mobile devices to eliminate the permission handling flaw.
  • Configure the device to enforce strict access control on the Routines component, ensuring that only explicitly authorized apps or users may invoke routine operations that access sensitive information.
  • As a temporary measure, disable or revoke any routine features that expose sensitive data until the firmware patch is applied.

Generated by OpenCVE AI on May 13, 2026 at 19:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 20:15:00 +0000

Type Values Removed Values Added
Title Local Permissions Bypass in Samsung Mobile Routines Exposes Sensitive Data

Wed, 13 May 2026 18:45:00 +0000

Type Values Removed Values Added
Title Local Information Disclosure Vulnerability in Samsung Mobile Routines Due to Permission Handling
Weaknesses CWE-200
CWE-284

Wed, 13 May 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Samsung
Samsung android
Weaknesses NVD-CWE-Other
CPEs cpe:2.3:o:samsung:android:15.0:-:*:*:*:*:*:*
cpe:2.3:o:samsung:android:15.0:smr-apr-2025-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:15.0:smr-apr-2026-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:15.0:smr-aug-2025-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:15.0:smr-dec-2025-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:15.0:smr-feb-2025-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:15.0:smr-feb-2026-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:15.0:smr-jan-2025-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:15.0:smr-jan-2026-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:15.0:smr-jul-2025-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:15.0:smr-jun-2025-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:15.0:smr-mar-2025-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:15.0:smr-mar-2026-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:15.0:smr-may-2025-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:15.0:smr-nov-2025-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:15.0:smr-oct-2025-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:15.0:smr-sep-2025-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:16.0:-:*:*:*:*:*:*
cpe:2.3:o:samsung:android:16.0:smr-apr-2026-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:16.0:smr-aug-2025-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:16.0:smr-dec-2025-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:16.0:smr-feb-2026-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:16.0:smr-jan-2026-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:16.0:smr-mar-2026-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:16.0:smr-nov-2025-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:16.0:smr-oct-2025-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:16.0:smr-sep-2025-r1:*:*:*:*:*:*
Vendors & Products Samsung
Samsung android
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Wed, 13 May 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Samsung Mobile
Samsung Mobile samsung Mobile Devices
Vendors & Products Samsung Mobile
Samsung Mobile samsung Mobile Devices

Wed, 13 May 2026 07:30:00 +0000

Type Values Removed Values Added
Title Local Information Disclosure Vulnerability in Samsung Mobile Routines Due to Permission Handling
Weaknesses CWE-200
CWE-284

Wed, 13 May 2026 06:00:00 +0000

Type Values Removed Values Added
Description Improper handling of insufficient permissions in Routines prior to SMR May-2026 Release 1 allows local attackers to access sensitive information.
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Samsung Android
Samsung Mobile Samsung Mobile Devices
cve-icon MITRE

Status: PUBLISHED

Assigner: SamsungMobile

Published:

Updated: 2026-05-13T10:50:04.255Z

Reserved: 2025-12-11T01:33:35.804Z

Link: CVE-2026-21022

cve-icon Vulnrichment

Updated: 2026-05-13T10:48:21.491Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-13T06:16:13.800

Modified: 2026-05-13T17:26:37.493

Link: CVE-2026-21022

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T20:00:04Z

Weaknesses