Description
Insufficient verification of data authenticity in PackageManagerService prior to SMR Mar-2026 Release 1 allows local attackers to modify the installation restriction of specific application.
Published: 2026-04-29
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: Local Privilege Escalation via Modification of Installation Restrictions
Action: Update Device
AI Analysis

Impact

The vulnerability lies in the PackageManagerService of Samsung Mobile Devices, where insufficient verification of data authenticity allows a local attacker to alter the installation restriction of a specific application. The attacker can effectively elevate privileges at the device level by enabling or disabling installation controls for target apps, enabling the installation of rogue or unauthenticated applications and potentially bypassing security safeguards.

Affected Systems

Samsung Mobile Devices that have not installed the SMR Mar-2026 Release 1 security patch. No specific version information is provided beyond the reference to the March 2026 release.;

Risk and Exploitability

With a CVSS score of 6.9, the vulnerability presents a moderate risk. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog. The attack vector is local; attackers must have physical or local access to the device. No remote exploitation or widespread automated attacks are described, which mitigates the overall exposure, but operational security demands review of device firmware and settings.

Generated by OpenCVE AI on April 29, 2026 at 06:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Samsung security patch that updates PackageManagerService to SMR Mar‑2026 Release 1 or newer
  • Restart the device to ensure the updated PackageManagerService is active
  • Configure device settings to disallow installation from unknown or unverified sources to reduce the attack surface

Generated by OpenCVE AI on April 29, 2026 at 06:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 07:00:00 +0000

Type Values Removed Values Added
First Time appeared Samsung
Samsung mobile Devices
Vendors & Products Samsung
Samsung mobile Devices

Wed, 29 Apr 2026 06:30:00 +0000

Type Values Removed Values Added
Title Local Modification of Application Installation Restrictions via PackageManagerService
Weaknesses CWE-285

Wed, 29 Apr 2026 05:00:00 +0000

Type Values Removed Values Added
Description Insufficient verification of data authenticity in PackageManagerService prior to SMR Mar-2026 Release 1 allows local attackers to modify the installation restriction of specific application.
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Samsung Mobile Devices
cve-icon MITRE

Status: PUBLISHED

Assigner: SamsungMobile

Published:

Updated: 2026-04-29T04:46:46.051Z

Reserved: 2025-12-11T01:33:35.804Z

Link: CVE-2026-21023

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-29T05:16:04.070

Modified: 2026-04-29T05:16:04.070

Link: CVE-2026-21023

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T07:00:04Z

Weaknesses