Description
Improper export of android application components in SpriteWallpaper prior to SMR Jun-2026 Release 1 allows local attackers to access to sensitive information.
Published: 2026-06-05
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability arises from improper exporting of Android application components in the SpriteWallpaper app, allowing an attacker who gains local access to the device to retrieve sensitive information. The flaw is a classic information‑exposure weakness and does not provide remote code execution or denial of service capabilities, but it gives an attacker direct insight into data that should be confined to the app's protected environment.

Affected Systems

Samsung Mobile Devices running any version of the SpriteWallpaper application prior to the SMR Jun‑2026 Release 1 update are affected. The issue is limited to that specific app component export configuration and does not extend to other Samsung mobile software.

Risk and Exploitability

The CVSS score of 6.4 indicates a moderate severity. The EPSS score of < 1% suggests a low likelihood of exploitation; the vulnerability is not listed in the CISA KEV catalog. Attackers must have local access to the device to exploit this flaw, most likely through a previously installed app or physical access. No additional network prerequisites or privilege escalations are described, so the attack vector is local and requires user interaction or pre-existing malicious code on the device.

Generated by OpenCVE AI on June 6, 2026 at 05:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the device to the SMR Jun‑2026 Release 1 security update, which removes the improper export from SpriteWallpaper.
  • If a formal update is unavailable, uninstall the SpriteWallpaper application to eliminate the exposed component.
  • For environments where uninstallation is not feasible, enforce device‑level restrictions on app component exposure or apply app‑level permissions to limit access to the exported components.

Generated by OpenCVE AI on June 6, 2026 at 05:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 06 Jun 2026 05:45:00 +0000

Type Values Removed Values Added
Title Improper Export of Android Components in SpriteWallpaper Enables Local Information Disclosure

Sat, 06 Jun 2026 04:15:00 +0000

Type Values Removed Values Added
Title Local Information Disclosure via Improper Export of Android Components in SpriteWallpaper
Weaknesses CWE-200

Sat, 06 Jun 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Samsung android
Weaknesses NVD-CWE-Other
CPEs cpe:2.3:o:samsung:android:16.0:-:*:*:*:*:*:*
cpe:2.3:o:samsung:android:16.0:smr-apr-2026-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:16.0:smr-aug-2025-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:16.0:smr-dec-2025-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:16.0:smr-feb-2026-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:16.0:smr-jan-2026-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:16.0:smr-mar-2026-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:16.0:smr-may-2026-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:16.0:smr-nov-2025-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:16.0:smr-oct-2025-r1:*:*:*:*:*:*
cpe:2.3:o:samsung:android:16.0:smr-sep-2025-r1:*:*:*:*:*:*
Vendors & Products Samsung android
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Fri, 05 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Samsung
Samsung mobile Devices
Vendors & Products Samsung
Samsung mobile Devices

Fri, 05 Jun 2026 11:45:00 +0000

Type Values Removed Values Added
Title Local Information Disclosure via Improper Export of Android Components in SpriteWallpaper
Weaknesses CWE-200

Fri, 05 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
Description Improper export of android application components in SpriteWallpaper prior to SMR Jun-2026 Release 1 allows local attackers to access to sensitive information.
References
Metrics cvssV4_0

{'score': 6.4, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:H'}

Subscriptions

Samsung Android Mobile Devices
cve-icon MITRE

Status: PUBLISHED

Assigner: SamsungMobile

Published:

Updated: 2026-06-05T18:37:18.224Z

Reserved: 2025-12-11T01:33:35.805Z

Link: CVE-2026-21026

cve-icon Vulnrichment

Updated: 2026-06-05T18:37:14.496Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-05T11:16:35.093

Modified: 2026-06-06T02:00:55.580

Link: CVE-2026-21026

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-06T05:30:13Z

Weaknesses