Description
Improper export of android application components in SmartHomeWidgetReceiver of Samsung Assistant prior to version 9.3.14 allows local attacker to execute arbitrary script.
Published: 2026-06-05
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the SmartHomeWidgetReceiver component of Samsung Assistant. Because the component is exported incorrectly, a local user can invoke it to run arbitrary scripts, granting the attacker local code execution. The flaw involves improper component export and code injection. The description notes that the component allows arbitrary script execution; it is inferred that this could compromise the confidentiality, integrity, and availability of the device’s data and functions, though the CVE entry does not explicitly state the impact.

Affected Systems

Samsung Mobile smartphones that ship with Samsung Assistant versions earlier than 9.3.14 are affected. The vulnerability requires the application to be installed and the device to be physically or locally accessible.

Risk and Exploitability

The CVSS score of 6.9 reflects moderate severity. The EPSS score of < 1% indicates a very low exploitation probability. This vulnerability is not listed in the CISA KEV catalog. An attacker must be physically or locally present on the device; remote exploitation is not described. The lack of a publicly known exploit does not diminish the risk, as local code execution still presents a significant threat until a patch is applied or the component is disabled.

Generated by OpenCVE AI on June 12, 2026 at 00:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Samsung Assistant to version 9.3.14 or later to remove the improperly exported component.
  • If an upgrade is not possible, disable or uninstall Samsung Assistant or hide the SmartHomeWidgetReceiver component by disabling the app or blocking its permissions via device settings.
  • Enforce physical security controls and restrict device use to limit local attacker access; consider enabling device encryption and strong lockscreen protection.

Generated by OpenCVE AI on June 12, 2026 at 00:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 00:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
CWE-94

Thu, 11 Jun 2026 23:30:00 +0000

Type Values Removed Values Added
Title Local Script Execution via Improperly Exported Android Component in Samsung Assistant
Weaknesses CWE-284
CWE-94

Thu, 11 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Samsung
Samsung assistant
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:samsung:assistant:*:*:*:*:*:*:*:*
Vendors & Products Samsung
Samsung assistant
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

Sun, 07 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
First Time appeared Samsung Mobile
Samsung Mobile samsung Assistant
Vendors & Products Samsung Mobile
Samsung Mobile samsung Assistant

Fri, 05 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Title Local Script Execution via Improperly Exported Android Component in Samsung Assistant
Weaknesses CWE-284
CWE-94

Fri, 05 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
Description Improper export of android application components in SmartHomeWidgetReceiver of Samsung Assistant prior to version 9.3.14 allows local attacker to execute arbitrary script.
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Samsung Assistant
Samsung Mobile Samsung Assistant
cve-icon MITRE

Status: PUBLISHED

Assigner: SamsungMobile

Published:

Updated: 2026-06-05T19:13:20.666Z

Reserved: 2025-12-11T01:33:35.805Z

Link: CVE-2026-21032

cve-icon Vulnrichment

Updated: 2026-06-05T19:13:14.254Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-05T11:16:35.787

Modified: 2026-06-11T19:42:39.373

Link: CVE-2026-21032

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T00:30:07Z

Weaknesses